r/aws_lambda_permission(test): scope down invoke function url permissions (#43975)

jar-b · web-flow · commit cdcd24a7a07b · 2025-08-21T13:03:44.000-04:00
Previously the `_FunctionURLs` acceptance test configurations granted permissions to a wildcard (`*`) principal. The permissions have been scoped down to an individual IAM role for least privileged access instead.

```console
% make testacc PKG=lambda TESTS=TestAccLambdaPermission_FunctionURLs
make: Verifying source code with gofmt...
==&gt; Checking that code complies with gofmt requirements...
TF_ACC=1 go1.24.6 test ./internal/service/lambda/... -v -count 1 -parallel 20 -run='TestAccLambdaPermission_FunctionURLs'  -timeout 360m -vet=off
2025/08/20 19:57:29 Creating Terraform AWS Provider (SDKv2-style)...
2025/08/20 19:57:29 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccLambdaPermission_FunctionURLs_none (30.39s)
--- PASS: TestAccLambdaPermission_FunctionURLs_iam (36.38s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/lambda     43.043s
```
diff --git a/internal/service/lambda/permission_test.go b/internal/service/lambda/permission_test.go
@@ -644,6 +644,7 @@ func TestAccLambdaPermission_FunctionURLs_iam(t *testing.T) {
 
 	resourceName := "aws_lambda_permission.test"
 	functionResourceName := "aws_lambda_function.test"
+	roleResourceName := "aws_iam_role.test"
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
@@ -656,7 +657,7 @@ func TestAccLambdaPermission_FunctionURLs_iam(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckPermissionExists(ctx, resourceName, &statement),
 					resource.TestCheckResourceAttr(resourceName, names.AttrAction, "lambda:InvokeFunctionUrl"),
-					resource.TestCheckResourceAttr(resourceName, names.AttrPrincipal, "*"),
+					resource.TestCheckResourceAttrPair(resourceName, names.AttrPrincipal, roleResourceName, names.AttrARN),
 					resource.TestCheckResourceAttr(resourceName, "statement_id", "AllowExecutionWithIAM"),
 					resource.TestCheckResourceAttr(resourceName, "qualifier", ""),
 					resource.TestCheckResourceAttrPair(resourceName, "function_name", functionResourceName, "function_name"),
@@ -680,6 +681,7 @@ func TestAccLambdaPermission_FunctionURLs_none(t *testing.T) {
 
 	resourceName := "aws_lambda_permission.test"
 	functionResourceName := "aws_lambda_function.test"
+	roleResourceName := "aws_iam_role.test"
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
@@ -692,7 +694,7 @@ func TestAccLambdaPermission_FunctionURLs_none(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckPermissionExists(ctx, resourceName, &statement),
 					resource.TestCheckResourceAttr(resourceName, names.AttrAction, "lambda:InvokeFunctionUrl"),
-					resource.TestCheckResourceAttr(resourceName, names.AttrPrincipal, "*"),
+					resource.TestCheckResourceAttrPair(resourceName, names.AttrPrincipal, roleResourceName, names.AttrARN),
 					resource.TestCheckResourceAttr(resourceName, "statement_id", "AllowExecutionFromWithoutAuth"),
 					resource.TestCheckResourceAttr(resourceName, "qualifier", ""),
 					resource.TestCheckResourceAttrPair(resourceName, "function_name", functionResourceName, "function_name"),
@@ -1060,7 +1062,7 @@ resource "aws_lambda_permission" "test" {
   statement_id           = "AllowExecutionWithIAM"
   action                 = "lambda:InvokeFunctionUrl"
   function_name          = aws_lambda_function.test.function_name
-  principal              = "*"
+  principal              = aws_iam_role.test.arn
   function_url_auth_type = "AWS_IAM"
 }
 `)
@@ -1072,7 +1074,7 @@ resource "aws_lambda_permission" "test" {
   statement_id           = "AllowExecutionFromWithoutAuth"
   action                 = "lambda:InvokeFunctionUrl"
   function_name          = aws_lambda_function.test.function_name
-  principal              = "*"
+  principal              = aws_iam_role.test.arn
   function_url_auth_type = "NONE"
 }
 `)
