terraform-provider-aws
terraform-provider-aws copied to clipboard
Published
20 hours ago •
hashicorp
hashicorp
aws_lambda_layer_version_permission is not idempotent when more than one permission exist for a layer version
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform CLI and Terraform AWS Provider Version
Terraform v1.0.8
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v3.67.0
Affected Resource(s)
- aws_lambda_layer_version_permission
Terraform Configuration Files
resource "aws_lambda_layer_version_permission" "authorizer" {
for_each = toset([local.inari_accounts.staging.id, local.inari_accounts.production.id])
layer_name = module.authorizer_layer.lambda_layer_layer_arn
version_number = module.authorizer_layer.lambda_layer_version
principal = each.value
statement_id = "${module.authorizer_layer.lambda_layer_version}-${each.value}"
action = "lambda:GetLayerVersion"
}
Error Output
╷
│ Error: error adding Lambda Layer Version Permission (layer: arn:aws:lambda:eu-west-1:***:layer:authorizer_layer, version: 52): ResourceConflictException: The statement id (52-728314938062) provided already exists. Please provide a new statement id, or remove the existing statement.
│ {
│ RespMetadata: {
│ StatusCode: 409,
│ RequestID: "988722c4-d407-4244-bd1f-e4b7b6a4207b"
│ },
│ Message_: "The statement id (52-728314938062) provided already exists. Please provide a new statement id, or remove the existing statement.",
│ Type: "User"
│ }
│
│ with aws_lambda_layer_version_permission.authorizer["728314938062"],
│ on apigw.tf line 55, in resource "aws_lambda_layer_version_permission" "authorizer":
│ 55: resource "aws_lambda_layer_version_permission" "authorizer" {
│
╵
Expected Behavior
No changes to the infrastructure, infrastructure is up to date
Actual Behavior
The resources are tentatively replaced
# aws_lambda_layer_version_permission.okta_authorizer["008049879029"] must be replaced
-/+ resource "aws_lambda_layer_version_permission" "okta_authorizer" {
~ id = "arn:aws:lambda:eu-west-1:***:layer:okta_authorizer_layer,3" -> (known after apply)
~ layer_name = "arn:aws:lambda:eu-west-1:***:layer:okta_authorizer_layer" -> (known after apply) # forces replacement
~ policy = jsonencode(
{
- Id = "default"
- Statement = [
- {
- Action = "lambda:GetLayerVersion"
- Effect = "Allow"
- Principal = {
- AWS = "arn:aws:iam::008049879029:root"
}
- Resource = "arn:aws:lambda:eu-west-1:***:layer:okta_authorizer_layer:3"
- Sid = "3-008049879029"
},
- {
- Action = "lambda:GetLayerVersion"
- Effect = "Allow"
- Principal = {
- AWS = "arn:aws:iam::728314938062:root"
}
- Resource = "arn:aws:lambda:eu-west-1:***:layer:okta_authorizer_layer:3"
- Sid = "3-728314938062"
},
]
- Version = "2012-10-17"
}
) -> (known after apply)
~ revision_id = "e86df11f-2890-4a0b-9698-7ecc5c131c24" -> (known after apply)
~ statement_id = "3-008049879029" -> (known after apply) # forces replacement
~ version_number = 3 -> (known after apply) # forces replacement
# (2 unchanged attributes hidden)
}
# aws_lambda_layer_version_permission.okta_authorizer["728314938062"] must be replaced
-/+ resource "aws_lambda_layer_version_permission" "okta_authorizer" {
~ id = "arn:aws:lambda:eu-west-1:***:layer:okta_authorizer_layer,3" -> (known after apply)
~ layer_name = "arn:aws:lambda:eu-west-1:***:layer:okta_authorizer_layer" -> (known after apply) # forces replacement
~ policy = jsonencode(
{
- Id = "default"
- Statement = [
- {
- Action = "lambda:GetLayerVersion"
- Effect = "Allow"
- Principal = {
- AWS = "arn:aws:iam::008049879029:root"
}
- Resource = "arn:aws:lambda:eu-west-1:***:layer:okta_authorizer_layer:3"
- Sid = "3-008049879029"
},
- {
- Action = "lambda:GetLayerVersion"
- Effect = "Allow"
- Principal = {
- AWS = "arn:aws:iam::728314938062:root"
}
- Resource = "arn:aws:lambda:eu-west-1:***:layer:okta_authorizer_layer:3"
- Sid = "3-728314938062"
},
]
- Version = "2012-10-17"
}
) -> (known after apply)
~ principal = "008049879029" -> "728314938062" # forces replacement
~ revision_id = "e86df11f-2890-4a0b-9698-7ecc5c131c24" -> (known after apply)
~ statement_id = "3-008049879029" -> (known after apply) # forces replacement
~ version_number = 3 -> (known after apply) # forces replacement
# (1 unchanged attribute hidden)
}
Steps to Reproduce
-
terraform apply
Important Factoids
Note the change in principal on the last planned resource change. It would appear that terraform is comparing the second resource configuration with the first of the permissions applied to the layer version, not the second one.
