Question:
I’m using Terraform to create a Cognito User pool. I’d like to use a lambda function for sending a custom message when a user signs up. When I run attempt to sign up on the client, I get an error saying that “CustomMessage invocation failed due to error AccessDeniedException.” I’ve used Lambda Permissions before, but I can’t find any examples of this configuration. How do I give the lambda function permission? The following is my current configuration.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
resource "aws_cognito_user_pool" "main" { name = "${var.user_pool_name}_${var.stage}" username_attributes = [ "email" ] schema { attribute_data_type = "String" mutable = true name = "name" required = true } schema { attribute_data_type = "String" mutable = true name = "email" required = true } password_policy { minimum_length = "8" require_lowercase = true require_numbers = true require_symbols = true require_uppercase = true } mfa_configuration = "OFF" lambda_config { custom_message = aws_lambda_function.custom_message.arn post_confirmation = aws_lambda_function.post_confirmation.arn } } ... resource "aws_lambda_permission" "get_blog" { statement_id = "AllowExecutionFromCognito" action = "lambda:InvokeFunction" function_name = aws_lambda_function.custom_message.function_name principal = "cognito-idp.amazonaws.com" source_arn = "${aws_cognito_user_pool.main.arn}/*/*" depends_on = [ aws_lambda_function.custom_message ] } ... resource "aws_lambda_function" "custom_message" { filename = "${var.custom_message_path}/${var.custom_message_file_name}.zip" function_name = var.custom_message_file_name role = aws_iam_role.custom_message.arn handler = "${var.custom_message_file_name}.handler" source_code_hash = filebase64sha256("${var.custom_message_path}/${var.custom_message_file_name}.zip") runtime = "nodejs12.x" timeout = 10 layers = [ var.node_layer_arn ] environment { variables = { TABLE_NAME = var.table_name RESOURCENAME = "blogAuthCustomMessage" REGION = "us-west-2" } } tags = { Name = var.developer } depends_on = [ data.archive_file.custom_message, ] } |
Answer:
Based on OP’s feedback in the comment section, changing source_arn property in the aws_lambda_permission.get_blog to aws_cognito_user_pool.main.arn works.