Cognito User Pool Lambda Trigger permission

Question

I'm using Terraform to create a Cognito User pool. I'd like to use a lambda function for sending a custom message when a user signs up. When I run attempt to sign up on the client, I get an error saying that "CustomMessage invocation failed due to error AccessDeniedException." I've used Lambda Permissions before, but I can't find any examples of this configuration. How do I give the lambda function permission? The following is my current configuration.

resource "aws_cognito_user_pool" "main" {
  name = "${var.user_pool_name}_${var.stage}"
  username_attributes = [ "email" ]
  schema {
    attribute_data_type = "String"
    mutable             = true
    name                = "name"
    required            = true
  }
  schema {
    attribute_data_type = "String"
    mutable             = true
    name                = "email"
    required            = true
  }

  password_policy {
    minimum_length    = "8"
    require_lowercase = true
    require_numbers   = true
    require_symbols   = true
    require_uppercase = true
  }
  mfa_configuration        = "OFF"
  
  lambda_config {
    custom_message    = aws_lambda_function.custom_message.arn
    post_confirmation = aws_lambda_function.post_confirmation.arn
  }
}
...
resource "aws_lambda_permission" "get_blog" {
  statement_id  = "AllowExecutionFromCognito"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.custom_message.function_name
  principal     = "cognito-idp.amazonaws.com"
  source_arn    = "${aws_cognito_user_pool.main.arn}/*/*"
  depends_on = [ aws_lambda_function.custom_message ]
}
...
resource "aws_lambda_function" "custom_message" {
  filename         = "${var.custom_message_path}/${var.custom_message_file_name}.zip"
  function_name    = var.custom_message_file_name
  role             = aws_iam_role.custom_message.arn
  handler          = "${var.custom_message_file_name}.handler"
  source_code_hash = filebase64sha256("${var.custom_message_path}/${var.custom_message_file_name}.zip")
  runtime          = "nodejs12.x"
  timeout          = 10
  layers           = [ var.node_layer_arn ]
  environment {
    variables = {
      TABLE_NAME = var.table_name
      RESOURCENAME = "blogAuthCustomMessage"
      REGION = "us-west-2"
    }
  }
  tags = {
    Name = var.developer
  }
  depends_on = [
    data.archive_file.custom_message, 
  ]
}

Answer 1

Based on OP's feedback in the comment section, changing source_arn property in the aws_lambda_permission.get_blog to aws_cognito_user_pool.main.arn works.

Answer 2

The wildcard characters in the Terraform configuration (/*/*) allow the permission to be more general, applying to any and all events from the user pool. However, in my case I had to remove it due to same error occuring and when I recreated the cognito lambda trigger manually from aws console, I compared the automatic permission that aws console creates and the one I created with terraform, the permission created by aws appeared to not have a wildcard after the source_arn.

Here is what worked for me:

resource "aws_lambda_permission" "post_confirmation_cognito_lambda_invoke_permission" {
  statement_id  = "AllowExecutionFromCognito"
  action        = "lambda:InvokeFunction"
  function_name = "your_function_arn"
  principal     = "cognito-idp.amazonaws.com"
  source_arn    = module.cognito_user_pool.arn # Removed /*/*
}