AWS Lambda permissions source_arn should allow wildcards

This issue was originally opened by @bholzer as hashicorp/terraform#22670. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Terraform Version

Terraform v0.12.7
+ provider.archive v1.2.2
+ provider.aws v2.22.0
+ provider.random v2.2.0

Terraform Configuration Files

resource "aws_lambda_permission" "farm_projects_index_lambda_permission" {
  statement_id  = "AllowExecutionFromAPIGateway"
  action        = "lambda:InvokeFunction"
  function_name = "${aws_lambda_function.farm_projects_index_lambda.function_name}"
  principal     = "apigateway.amazonaws.com"

  # More: http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html
  source_arn = "arn:aws:execute-api:${var.region}:*:${aws_api_gateway_rest_api.farm_api.id}/*/${aws_api_gateway_method.farm_projects_index.http_method}${aws_api_gateway_resource.farm_projects.path}"
}

Expected Behavior

AWS documentation (linked to by terraform docs) shows that wildcards are allowed for region and account ID for the resource expressions on lambda permissions:

arn:aws:execute-api:us-east-1:*:* for any resource path in any stage, for any API in the AWS region of us-east-1.

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html

Actual Behavior

Error: "source_arn" doesn't look like a valid ARN ("^arn:[\\w-]+:([a-zA-Z0-9\\-])+:([a-z]{2}-(gov-)?[a-z]+-\\d{1})?:(\\d{12})?:(.*)$"): "arn:aws:execute-api:us-east-1:*:cd4u48mqbh/*/GET/projects"

Appears the source_arn arg is validated by a regex that disallows for a wildcard in the region or account_id part of the ARN.

Steps to Reproduce

Create a lambda function, API gateway, API gateway resource and method, and use the lambda permission provided above.

[atom88888]

It appears the "*" doesn't work for all HTTP verbs? (e.g. POST, GET) etc.?

Others are having similar trouble here:
https://stackoverflow.com/questions/54835528/aws-api-gateway-and-lambda-function-deployed-through-terraform-execution-fail/54868502#54868502

and here:
https://stackoverflow.com/questions/54067224/execution-failed-due-to-configuration-error-invalid-permissions-on-lambda-funct

[gpontesss]

Also having a problem with this. Are there any updates on it?

[ouvtk]

TL;DR: I believe terraform behaves correctly (even though I don't like that fact)

Also were facing the same issue, as I thought it is an issue. But from my current understanding terraform behaves correctly within AWS constraints.

Even though wildcards are allowed for a permissions in IAM policies, they are not allowed as a permissions for a Lambda triggers.

Documentation for Lambda's AddPermission Request Body defines arn:(aws[a-zA-Z0-9-]*):([a-zA-Z0-9\-])+:([a-z]{2}(-gov)?-[a-z]+-\d{1})?:(\d{12})?:(.*) regex for an ARN.

Also web console throws an error on attempt to create trigger with a wildcard:

An error occurred when creating the trigger: 1 validation error detected: Value 'arn:aws:sns:*:123456789012:topic-name' at 'sourceArn' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:(aws[a-zA-Z0-9-]*):([a-zA-Z0-9\-])+:([a-z]{2}((-gov)|(-iso(b?)))?-[a-z]+-\d{1})?:(\d{12})?:(.*) (Service: AWSLambda; Status Code: 400; Error Code: ValidationException; Request ID: ...; Proxy: null)

Not sure if I'm missing something.

[justinretzolk]

As mentioned above, it looks like this is a limitation of the underlying API. Since this is the case, we'll close this issue. If the API changes in the future, we'll be happy to look into this again.

[Wyfy0107]

Any update on this because I'm still having this issue. Even though there is no validation error when creating the api gateway and lambda permission. However if visit the lambda trigger console, aws will show this error: The API with ID **** doesn’t include a resource with path /* having an integration **** on the ANY method.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.