Introduction
You might have received an email from AWS (excerpt below) regarding a Lambda ARN policy change that will impact your account and might be wondering how to go about accounting for those changes in your Terraform resource configuration.
AWS Lambda ARN Email Notification Excerpt
Hello,
You are receiving this email because AWS Lambda is making a change to the IAM policy
evaluation when accessing Lambda function APIs, and we identified that your account
will be impacted by this change...
Link to full notification email here.
Cause & Solution
This is an API change made by AWS per their service terms, so to comply with the directives in the announcement, here are the respective configuration changes you'll need to make:
- append the version number, alias name to the unqualified function ARN in your policy's Resource element.
- To allow access to all the sub-resources of a function, append ":" and "" to the unqualified function ARN and to allow access to both function (unqualified ARN) and all sub-resources of a function, append "" to the unqualified function ARN.
- Additionally, you need to ensure the updated policies are used by the IAM users/roles that make the Lambda API calls.
NOTE: In the respective email you receive from them (AWS), they list the resource(s) and region(s) affected in your account.
If you need further assistance on the changes required to comply with this announcement, please reach out to AWS Support.
IMPORTANT: Please remember - according to AWS that if you do not take this action by April 30, 2022, [your] Lambda API calls will fail with permission errors.
Thank you.