pulumi-aws-native
pulumi-aws-native copied to clipboard
Can't deploy a fully working Lambda Function URL example
What happened?
The pulumi article on Lambda Function URL doesn’t contain a working example. I can’t call the URL that is created because the Lambda is lacking a critical permission (lambda:InvokeFunctionUrl
) and I don’t know how to add it because I don’t know how to add the necessary condition using the classic aws.lambda.Permission
resource. Any help? (edited)
Steps to reproduce
It's the same code as the article
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsnative from "@pulumi/aws-native";
const lambdaRole = new awsnative.iam.Role("lambdaRole", {
assumeRolePolicyDocument: {
Version: "2012-10-17",
Statement: [
{
Action: "sts:AssumeRole",
Principal: {
Service: "lambda.amazonaws.com",
},
Effect: "Allow",
Sid: "",
},
],
},
});
const lambdaRoleAttachment = new aws.iam.RolePolicyAttachment(
"lambdaRoleAttachment",
{
role: pulumi.interpolate`${lambdaRole.roleName}`,
policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole,
}
);
const helloFunction = new awsnative.lambda.Function("helloFunction", {
role: lambdaRole.arn,
runtime: "nodejs14.x",
handler: "index.handler",
code: {
zipFile: `exports.handler = function(event, context, callback){ callback(null, {"response": "Hello "}); };`,
},
});
const lambdaUrl = new awsnative.lambda.Url("test", {
targetFunctionArn: helloFunction.arn,
authType: awsnative.lambda.UrlAuthType.None,
});
export const url = lambdaUrl.functionUrl;
Then you curl the url and it fails because the Lambda is missing the permission
curl https://v2fcp4tpzqi5jclbrwuhctiy340uorfl.lambda-url.eu-central-1.on.aws/
{"Message":"Forbidden"}
Here is an exemple of the correct permission I need to add to the lambda for the public URL to work
Statement ID: FunctionURLAllowPublicAccess
Principal: *
Effect: Allow
Action: lambda:InvokeFunctionUrl
Conditions
{
"StringEquals": {
"lambda:FunctionUrlAuthType": "NONE"
}
}
Expected Behavior
I should have a way to deploy the needed lambda permissions to allow calling a function URL.
Actual Behavior
I can't call the endpoint because I'm missing a permission on the Lambda.
Versions used
CLI
Version 3.28.0
Go Version go1.18
Go Compiler gc
Plugins
NAME VERSION
aws 5.1.2
aws 5.1.2
aws 5.1.2
aws 5.1.0
aws 5.1.0
aws-native 0.15.0
aws-native 0.15.0
docker 3.1.0
docker 3.1.0
docker 3.1.0
docker 3.1.0
nodejs unknown
Host
OS darwin
Version 12.3
Arch arm64
This project is written in nodejs (/Users/tirke/Library/Caches/fnm_multishells/42441_1649928408698/bin/node v16.14.2)
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).