fix(lambda): Add lambda:InvokeFunction permission for public Function URLs

chrisns · chrisns · commit c14d823c857b · 2026-01-26T09:22:55.000Z
Lambda Function URLs with AuthType NONE require both lambda:InvokeFunctionUrl and lambda:InvokeFunction permissions as of October 2025. Without both permissions, Function URLs return 403 Forbidden errors. Added the missing lambda:InvokeFunction permission to all 5 scenario templates: - council-chatbot - foi-redaction - planning-ai - smart-car-park - text-to-speech Ref: https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html
diff --git a/cloudformation/scenarios/council-chatbot/template.yaml b/cloudformation/scenarios/council-chatbot/template.yaml
@@ -399,6 +399,15 @@ Resources:
       Principal: '*'
       FunctionUrlAuthType: NONE
 
+  # Permission for public invocation (required since Oct 2025)
+  ChatbotFunctionInvokePermission:
+    Type: AWS::Lambda::Permission
+    Properties:
+      FunctionName: !Ref ChatbotFunction
+      Action: lambda:InvokeFunction
+      Principal: '*'
+      FunctionUrlAuthType: NONE
+
   # CloudWatch Log Group
   ChatbotLogGroup:
     Type: AWS::Logs::LogGroup
diff --git a/cloudformation/scenarios/foi-redaction/template.yaml b/cloudformation/scenarios/foi-redaction/template.yaml
@@ -777,6 +777,15 @@ Resources:
       Principal: '*'
       FunctionUrlAuthType: NONE
 
+  # Permission for public invocation (required since Oct 2025)
+  RedactionFunctionInvokePermission:
+    Type: AWS::Lambda::Permission
+    Properties:
+      FunctionName: !Ref RedactionFunction
+      Action: lambda:InvokeFunction
+      Principal: '*'
+      FunctionUrlAuthType: NONE
+
   # CloudWatch Log Group
   RedactionLogGroup:
     Type: AWS::Logs::LogGroup
diff --git a/cloudformation/scenarios/planning-ai/template.yaml b/cloudformation/scenarios/planning-ai/template.yaml
@@ -1232,6 +1232,15 @@ Resources:
       Principal: '*'
       FunctionUrlAuthType: NONE
 
+  # Permission for public invocation (required since Oct 2025)
+  PlanningAnalyzerFunctionInvokePermission:
+    Type: AWS::Lambda::Permission
+    Properties:
+      FunctionName: !Ref PlanningAnalyzerFunction
+      Action: lambda:InvokeFunction
+      Principal: '*'
+      FunctionUrlAuthType: NONE
+
   # CloudWatch Log Group
   PlanningAnalyzerLogGroup:
     Type: AWS::Logs::LogGroup
diff --git a/cloudformation/scenarios/smart-car-park/template.yaml b/cloudformation/scenarios/smart-car-park/template.yaml
@@ -655,6 +655,15 @@ Resources:
       Principal: '*'
       FunctionUrlAuthType: NONE
 
+  # Permission for public invocation (required since Oct 2025)
+  ParkingSimulatorFunctionInvokePermission:
+    Type: AWS::Lambda::Permission
+    Properties:
+      FunctionName: !Ref ParkingSimulatorFunction
+      Action: lambda:InvokeFunction
+      Principal: '*'
+      FunctionUrlAuthType: NONE
+
   # CloudWatch Log Group
   ParkingSimulatorLogGroup:
     Type: AWS::Logs::LogGroup
diff --git a/cloudformation/scenarios/text-to-speech/template.yaml b/cloudformation/scenarios/text-to-speech/template.yaml
@@ -597,6 +597,15 @@ Resources:
       Principal: '*'
       FunctionUrlAuthType: NONE
 
+  # Permission for public invocation (required since Oct 2025)
+  TextToSpeechFunctionInvokePermission:
+    Type: AWS::Lambda::Permission
+    Properties:
+      FunctionName: !Ref TextToSpeechFunction
+      Action: lambda:InvokeFunction
+      Principal: '*'
+      FunctionUrlAuthType: NONE
+
   # CloudWatch Log Group
   TextToSpeechLogGroup:
     Type: AWS::Logs::LogGroup
