Merge pull request #24220 from bnusunny/main

ewbankkit · web-flow · commit f5d5c0264b81 · 2022-04-13T16:36:36.000-04:00
fixing error for creating additonal Lambda URLs on the same function
diff --git a/.changelog/24220.txt b/.changelog/24220.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_lambda_function_url: Ignore `ResourceConflictException` errors caused by existing `FunctionURLAllowPublicAccess` permission statements
+```
diff --git a/internal/service/lambda/function_url.go b/internal/service/lambda/function_url.go
@@ -149,11 +149,19 @@ func resourceFunctionURLCreate(ctx context.Context, d *schema.ResourceData, meta
 			StatementId:         aws.String("FunctionURLAllowPublicAccess"),
 		}
 
+		if qualifier != "" {
+			input.Qualifier = aws.String(qualifier)
+		}
+
 		log.Printf("[DEBUG] Adding Lambda Permission: %s", input)
 		_, err := conn.AddPermissionWithContext(ctx, input)
 
 		if err != nil {
-			return diag.Errorf("error adding Lambda Function URL (%s) permission %s", d.Id(), err)
+			if tfawserr.ErrMessageContains(err, lambda.ErrCodeResourceConflictException, "The statement id (FunctionURLAllowPublicAccess) provided already exists") {
+				log.Printf("[DEBUG] function permission statement 'FunctionURLAllowPublicAccess' already exists.")
+			} else {
+				return diag.Errorf("error adding Lambda Function URL (%s) permission %s", d.Id(), err)
+			}
 		}
 	}
 
diff --git a/internal/service/lambda/function_url_test.go b/internal/service/lambda/function_url_test.go
@@ -17,9 +17,7 @@ import (
 )
 
 func testAccFunctionURLPreCheck(t *testing.T) {
-	if got, want := acctest.Partition(), endpoints.AwsPartitionID; got != want {
-		t.Skipf("Lambda Function URLs are not supported in %s partition", got)
-	}
+	acctest.PreCheckPartition(endpoints.AwsPartitionID, t)
 }
 
 func TestAccLambdaFunctionURL_basic(t *testing.T) {
@@ -155,6 +153,58 @@ func TestAccLambdaFunctionURL_Alias(t *testing.T) {
 	})
 }
 
+func TestAccLambdaFunctionURL_TwoURLs(t *testing.T) {
+	var conf lambda.GetFunctionUrlConfigOutput
+	latestResourceName := "aws_lambda_function_url.latest"
+	liveResourceName := "aws_lambda_function_url.live"
+	rString := sdkacctest.RandString(8)
+	funcName := fmt.Sprintf("tf_acc_lambda_func_basic_%s", rString)
+	aliasName := "live"
+	policyName := fmt.Sprintf("tf_acc_policy_lambda_func_basic_%s", rString)
+	roleName := fmt.Sprintf("tf_acc_role_lambda_func_basic_%s", rString)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { acctest.PreCheck(t); testAccFunctionURLPreCheck(t) },
+		ErrorCheck:   acctest.ErrorCheck(t, lambda.EndpointsID),
+		Providers:    acctest.Providers,
+		CheckDestroy: testAccCheckFunctionURLDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccFunctionURLTwoURLsConfig(funcName, aliasName, policyName, roleName),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckFunctionURLExists(latestResourceName, &conf),
+					resource.TestCheckResourceAttr(latestResourceName, "authorization_type", lambda.FunctionUrlAuthTypeNone),
+					resource.TestCheckResourceAttr(latestResourceName, "cors.#", "0"),
+					resource.TestCheckResourceAttrSet(latestResourceName, "function_arn"),
+					resource.TestCheckResourceAttr(latestResourceName, "function_name", funcName),
+					resource.TestCheckResourceAttrSet(latestResourceName, "function_url"),
+					resource.TestCheckResourceAttr(latestResourceName, "qualifier", ""),
+					resource.TestCheckResourceAttrSet(latestResourceName, "url_id"),
+
+					testAccCheckFunctionURLExists(liveResourceName, &conf),
+					resource.TestCheckResourceAttr(liveResourceName, "authorization_type", lambda.FunctionUrlAuthTypeNone),
+					resource.TestCheckResourceAttr(liveResourceName, "cors.#", "0"),
+					resource.TestCheckResourceAttrSet(liveResourceName, "function_arn"),
+					resource.TestCheckResourceAttr(liveResourceName, "function_name", funcName),
+					resource.TestCheckResourceAttrSet(liveResourceName, "function_url"),
+					resource.TestCheckResourceAttr(liveResourceName, "qualifier", "live"),
+					resource.TestCheckResourceAttrSet(liveResourceName, "url_id"),
+				),
+			},
+			{
+				ResourceName:      latestResourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				ResourceName:      liveResourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccCheckFunctionURLExists(n string, v *lambda.GetFunctionUrlConfigOutput) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[n]
@@ -397,3 +447,34 @@ resource "aws_lambda_function_url" "test" {
 }
 `, funcName, aliasName))
 }
+
+func testAccFunctionURLTwoURLsConfig(funcName, aliasName, policyName, roleName string) string {
+	return acctest.ConfigCompose(testAccFunctionURLBaseConfig(policyName, roleName), fmt.Sprintf(`
+resource "aws_lambda_function" "test" {
+  filename      = "test-fixtures/lambdatest.zip"
+  function_name = %[1]q
+  role          = aws_iam_role.iam_for_lambda.arn
+  handler       = "exports.example"
+  runtime       = "nodejs14.x"
+  publish       = true
+}
+
+resource "aws_lambda_function_url" "latest" {
+  function_name      = aws_lambda_function.test.function_name
+  authorization_type = "NONE"
+}
+
+resource "aws_lambda_alias" "live" {
+  name             = %[2]q
+  description      = "a sample description"
+  function_name    = aws_lambda_function.test.function_name
+  function_version = aws_lambda_function.test.version
+}
+
+resource "aws_lambda_function_url" "live" {
+  function_name      = aws_lambda_function.test.function_name
+  qualifier          = aws_lambda_alias.live.name
+  authorization_type = "NONE"
+}
+`, funcName, aliasName))
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:bug
	`2`	+resource/aws_lambda_function_url: Ignore `ResourceConflictException` errors caused by existing `FunctionURLAllowPublicAccess` permission statements
	`3`	+```
Original file line number	Diff line number	Diff line change
`@@ -149,11 +149,19 @@ func resourceFunctionURLCreate(ctx context.Context, d *schema.ResourceData, meta`
`149`	`149`	`StatementId: aws.String("FunctionURLAllowPublicAccess"),`
`150`	`150`	`}`
`151`	`151`
	`152`	`+ if qualifier != "" {`
	`153`	`+ input.Qualifier = aws.String(qualifier)`
	`154`	`+ }`
	`155`	`+`
`152`	`156`	`log.Printf("[DEBUG] Adding Lambda Permission: %s", input)`
`153`	`157`	`_, err := conn.AddPermissionWithContext(ctx, input)`
`154`	`158`
`155`	`159`	`if err != nil {`
`156`		`- return diag.Errorf("error adding Lambda Function URL (%s) permission %s", d.Id(), err)`
	`160`	`+ if tfawserr.ErrMessageContains(err, lambda.ErrCodeResourceConflictException, "The statement id (FunctionURLAllowPublicAccess) provided already exists") {`
	`161`	`+ log.Printf("[DEBUG] function permission statement 'FunctionURLAllowPublicAccess' already exists.")`
	`162`	`+ } else {`
	`163`	`+ return diag.Errorf("error adding Lambda Function URL (%s) permission %s", d.Id(), err)`
	`164`	`+ }`
`157`	`165`	`}`
`158`	`166`	`}`
`159`	`167`