aws_lambda_invocation : apply vs destroy

[abruyelles]

Hi,

We are using the aws_lambda_invocation datasource from the aws provider as a way to protect some access while letting untrusted users perform the task

To illustrate, we want to create AWS ACM certificate, they require a DNS TXT
Our users are free to create the ACM certificates as well
However, we cannot let them manage the DNS zones
We are using an aws_lambda_invocation as a helper:

• the user creates an aws_acm_certificate resource in its own AWS account
• the user calls an aws_lambda_invocation datasource with, as parameter, the information of the newly created ACM certificate
• the lambda has the right to create the appropriate TXT

So far, so good

However, we have an issue on destroy : the TXT records are not deleted, because we cannot make the difference between an apply and a destroy : datasource parameters are the same

It would be awesome if an extra, optional parameter could be put to make the difference between an apply and a destroy

[justinretzolk]

Hey @abruyelles 👋 Thank you for taking the time to raise this! So that we have all of the necessary information to prioritize and investigate this, can you update the issue description with the rest of the information requested in the feature request template?

[abruyelles]

@justinretzolk Sure, my bad
The affected datasource would be aws_lambda_invocation
A potential terraform configuration would be something like this:

data "aws_lambda_invocation" "example" {
  function_name = aws_lambda_function.lambda_function_test.function_name
  differentiate_on_destroy = "my_custom_field"

  input = <<JSON
{
  "key1": "value1",
  "key2": "value2"
}
JSON
}

If differentiate_on_destroy is unset (the current, default value), then that json would be sent on all invocations:

{
  "key1": "value1",
  "key2": "value2"
}

If differentiate_on_destroy is set, then the same json would be sent for applies
However, for destroy, it would become:

{
  "key1": "value1",
  "key2": "value2",
  "my_custom_field": true
}

That new variable would be a string and not a boolean, because a hard-coded field name may overlaps with the user document

Thank you for reviewing

[pvbouwel]

I've opened #29367 which would trigger the Lambda function on every resource state transition. It will manipulate the JSON payload to provide details to the Lambda function. It will add a key tf which holds the action [create, update, delete] and the prev_input (null for a create otherwise the event from the previous invocation.
So the lambda handler can decide which processing to do based on event.tf.action.
In case of an update you can also do the required changes since tf.prev_input.username and username in the JSON body will allow you to create an alter user SQL statement to implement the required changes.

This way there is no need to provision multiple lambda functions as a single function can handle each event accordingly.

[github-actions]

This functionality has been released in v5.1.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.