Add option for a lambda function URL for testing

[dwhswenson]

Waiting for the scheduled job to kick off in order to do an E2E test is a hassle. This gives an option to add a test URL, so I can trigger the lambda it with a quick curl.

No auth, so not recommended for production, but very convenient for a quick test.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.28%. Comparing base (6f199a4) to head (7dc95d1).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #17   +/-   ##
=======================================
  Coverage   98.28%   98.28%           
=======================================
  Files          10       10           
  Lines         408      408           
=======================================
  Hits          401      401           
  Misses          7        7           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This pull request adds an optional Lambda Function URL feature to the scheduled-lambda module to enable on-demand testing without waiting for scheduled execution. The implementation introduces a new create_test_url variable that conditionally creates an unauthenticated, publicly accessible Lambda Function URL for testing purposes.

Changes:

• Added create_test_url boolean variable with default false to control Function URL creation
• Created AWS Lambda Function URL resource and associated permissions when enabled
• Exposed the Function URL through module outputs for easy access

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
modules/scheduled-lambda/variables.tf	Added create_test_url boolean variable to control test URL creation
modules/scheduled-lambda/outputs.tf	Added test_function_url output to expose the generated URL when enabled
modules/scheduled-lambda/main.tf	Implemented Lambda Function URL resource and two permission resources (conditionally created)
examples/basic/variables.tf	Propagated create_test_url variable to example configuration
examples/basic/main.tf	Passed through create_test_url to module and exposed output

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

These two lambda permission resources appear to be redundant. When creating a Lambda Function URL with authorization_type = "NONE", only one aws_lambda_permission resource with action = "lambda:InvokeFunction" is needed. The "lambda:InvokeFunctionUrl" action and "function_url_auth_type" parameter in the first resource are not standard AWS Terraform provider parameters. Consider removing the first permission resource (allow_function_url) and keeping only the second one (allow_function_url_invoke), as it follows the correct pattern seen in the EventBridge permission at line 115.

[dwhswenson]

To invoke a function URL, you must have lambda:InvokeFunctionUrl and lambda:InvokeFunction permissions. Found this out the hard way with some 403s.

[Copilot]

The aws_lambda_function_url is configured with authorization_type = "NONE" and the corresponding aws_lambda_permission for lambda:InvokeFunctionUrl uses principal = "*", which makes this Lambda function URL publicly invokable over the internet with no authentication. Anyone who discovers the URL can trigger the function, potentially leading to data exfiltration, unintended side effects, or abuse if this module is used in a non-test or production environment. Consider requiring authenticated access (e.g., AWS_IAM) or at minimum documenting and enforcing that this resource can only be enabled in tightly controlled, non-production environments (for example via environment-specific variables or additional guards).

[dwhswenson]

Added more clear warning about risks in README and variable description (7dc95d1)

[Copilot]

The aws_lambda_permission resource allow_function_url_invoke grants lambda:InvokeFunction with principal = "*", which allows any AWS account to invoke this Lambda directly via the AWS API if they know its ARN. This creates a broad cross-account access exposure that goes beyond the unauthenticated function URL and could be abused for unauthorized invocation or lateral movement in multi-account setups. Restrict this permission to the specific AWS service or account that needs to invoke the function (or remove it entirely if it is not required for the function URL path).

Suggested change

	resource "aws_lambda_permission" "allow_function_url_invoke" {
	count = var.create_test_url ? 1 : 0
	statement_id = "AllowFunctionUrlInvokeFunction"
	action = "lambda:InvokeFunction"
	function_name = aws_lambda_function.scheduled.function_name
	principal = "*"
	}

[dwhswenson]

Added more clear warning about risks in README and variable description (7dc95d1)

[dwhswenson]

@ethanholz This should be ready for review. I might improve docs on the URL variable to emphasize that it isn't recommended for long-lived deployments. This should be a pretty easy review.

[ethanholz]

All of this looks great, merging.