add skip_destroy onto lambda_layer_permission

.changelog/29571.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_lambda_layer_version_permission: Add `skip_destroy` attribute
+```

internal/service/lambda/layer_version_permission.go

@@ -72,6 +72,12 @@ func ResourceLayerVersionPermission() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"skip_destroy": {
+				Type:     schema.TypeBool,
+				Default:  false,
+				ForceNew: true,
+				Optional: true,
+			},
 			"policy": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -197,6 +203,11 @@ func resourceLayerVersionPermissionRead(ctx context.Context, d *schema.ResourceD
 
 func resourceLayerVersionPermissionDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
+	if v, ok := d.GetOk("skip_destroy"); ok && v.(bool) {
+		log.Printf("[DEBUG] Retaining Lambda Layer Permission Version %q", d.Id())
+		return diags
+	}
+
 	conn := meta.(*conns.AWSClient).LambdaConn()
 
 	layerName, versionNumber, err := ResourceLayerVersionPermissionParseId(d.Id())

internal/service/lambda/layer_version_permission_test.go

@@ -38,9 +38,10 @@ func TestAccLambdaLayerVersionPermission_basic_byARN(t *testing.T) {
 				),
 			},
 			{
-				ResourceName:      resourceName,
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"skip_destroy"},
 			},
 		},
 	})
@@ -68,9 +69,10 @@ func TestAccLambdaLayerVersionPermission_basic_byName(t *testing.T) {
 				),
 			},
 			{
-				ResourceName:      resourceName,
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"skip_destroy"},
 			},
 		},
 	})
@@ -99,9 +101,10 @@ func TestAccLambdaLayerVersionPermission_org(t *testing.T) {
 				),
 			},
 			{
-				ResourceName:      resourceName,
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"skip_destroy"},
 			},
 		},
 	})
@@ -129,9 +132,10 @@ func TestAccLambdaLayerVersionPermission_account(t *testing.T) {
 				),
 			},
 			{
-				ResourceName:      resourceName,
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"skip_destroy"},
 			},
 		},
 	})
@@ -160,6 +164,36 @@ func TestAccLambdaLayerVersionPermission_disappears(t *testing.T) {
 	})
 }
 
+func TestAccLambdaLayerVersionPermission_skipDestroy(t *testing.T) {
+	ctx := acctest.Context(t)
+	resourceName := "aws_lambda_layer_version_permission.test"
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	rName2 := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, lambda.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             nil, // this purposely leaves dangling resources, since skip_destroy = true
+		Steps: []resource.TestStep{
+			{
+				Config: testAccLayerVersionPermissionConfig_skipDestroy(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckLayerVersionPermissionExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "skip_destroy", "true"),
+				),
+			},
+			{
+				Config: testAccLayerVersionPermissionConfig_skipDestroy(rName2),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckLayerVersionPermissionExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "skip_destroy", "true"),
+				),
+			},
+		},
+	})
+}
+
 // Creating Lambda layer and Lambda layer permissions
 
 func testAccLayerVersionPermissionConfig_basicARN(layerName string) string {
@@ -233,6 +267,24 @@ resource "aws_lambda_layer_version_permission" "test" {
 `, layerName)
 }
 
+func testAccLayerVersionPermissionConfig_skipDestroy(layerName string) string {
+	return fmt.Sprintf(`
+resource "aws_lambda_layer_version" "test" {
+  filename   = "test-fixtures/lambdatest.zip"
+  layer_name = %[1]q
+}
+
+resource "aws_lambda_layer_version_permission" "test" {
+  layer_name     = aws_lambda_layer_version.test.layer_name
+  version_number = aws_lambda_layer_version.test.version
+  action         = "lambda:GetLayerVersion"
+  statement_id   = "xaccount"
+  principal      = "*"
+  skip_destroy   = true
+}
+`, layerName)
+}
+
 func testAccCheckLayerVersionPermissionExists(ctx context.Context, n string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[n]

website/docs/r/lambda_layer_version_permission.html.markdown

@@ -12,6 +12,8 @@ Provides a Lambda Layer Version Permission resource. It allows you to share you
 
 For information about Lambda Layer Permissions and how to use them, see [Using Resource-based Policies for AWS Lambda][1]
 
+~> **NOTE:** Setting `skip_destroy` to `true` means that the AWS Provider will _not_ destroy any layer version permission, even when running `terraform destroy`. Layer version permissions are thus intentional dangling resources that are _not_ managed by Terraform and may incur extra expense in your AWS account.
+
 ## Example Usage
 
 ```terraform
@@ -34,6 +36,7 @@ The following arguments are supported:
 * `principal` - (Required) AWS account ID which should be able to use your Lambda Layer. `*` can be used here, if you want to share your Lambda Layer widely.
 * `statement_id` - (Required) The name of Lambda Layer Permission, for example `dev-account` - human readable note about what is this permission for.
 * `version_number` (Required) Version of Lambda Layer, which you want to grant access to. Note: permissions only apply to a single version of a layer.
+* `skip_destroy` - (Optional) Whether to retain the old version of a previously deployed Lambda Layer. Default is `false`. When this is not set to `true`, changing any of `compatible_architectures`, `compatible_runtimes`, `description`, `filename`, `layer_name`, `license_info`, `s3_bucket`, `s3_key`, `s3_object_version`, or `source_code_hash` forces deletion of the existing layer version and creation of a new layer version.
 
 ## Attributes Reference