AWS Lambda VPC on Terraform

Question

When creating an AWS Lambda Function with terraform 0.9.3, I'm failing to make it join my selected VPC.

This is how my function looks like:

resource "aws_lambda_function" "lambda_function" {
   s3_bucket        = "${var.s3_bucket}"
   s3_key           = "${var.s3_key}"
   function_name    = "${var.function_name}"
   role             = "${var.role_arn}"
   handler          = "${var.handler}"

   runtime          = "${var.runtime}"
   timeout          = "30"
   memory_size      = 256
   publish          = true

   vpc_config {
       subnet_ids = ["${var.subnet_ids}"]
       security_group_ids = ["${var.security_group_ids}"]
   }
 }

The policy I'm using for the role is

 data "aws_iam_policy_document" "lambda-policy_policy_document" {
       statement {
            effect = "Allow"
            actions = [
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeSubnets",
            "ec2:DescribeVpcs",
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents",
            "ec2:CreateNetworkInterface",
            "ec2:DescribeNetworkInterfaces",
            "ec2:DeleteNetworkInterface"
        ]
        resources = ["*"]
     }
 }

The resources are created just fine, if I try to add the VPC and the subnets via the AWS console it all works out.

Update (creation plan):

module.******.aws_lambda_function.lambda_function
arn:                                 "<computed>"
environment.#:                       "1"
environment.0.variables.%:           "1"
environment.0.variables.environment: "******"
function_name:                       "******"
handler:                             "******"
last_modified:                       "<computed>"
memory_size:                         "256"
publish:                             "true"
qualified_arn:                       "<computed>"
role:                                "******"
runtime:                             "******"
s3_bucket:                           "******"
s3_key:                              "******"
source_code_hash:                    "<computed>"
timeout:                             "30"
version:                             "<computed>"
vpc_config.#:                        "1"
vpc_config.0.vpc_id:                 "<computed>"

Though, if I run terraform plan again, the VPC config is always changed.

vpc_config.#: "0" => "1" (forces new resource)

Can you show the plan output when you don't have the Lambda function there? — ydaetskcoR
That looks wrong to me. I've just planned one of my own Lambda functions that happens to be inside a VPC and I see extra lines on the plan for the security group ids and subnet ids that your plan doesn't show. Something like: vpc_config.0.subnet_ids.1220732747: "subnet-12345678". Have you checked your subnet IDs and security group IDs are correctly being passed in? — ydaetskcoR
For reference the module I'm using is public (github.com/tomelliff/s3-web-service-proxy/blob/master/terraform/…) but your configuration for your module looks fine compared to that so I'd guess it's down to how you are calling the module. — ydaetskcoR

Arbab Nazar Arbab Nazar · Accepted Answer · 2019-01-25T14:22:00

I think the value of subnet_ids is like this: "subnet-xxxxx,subnet-yyyyy,subnet-zzzzz" and it take it as single subnet instead of list. You can fix this problem like this:

vpc_config {
  subnet_ids = ["${split(",", var.subnet_ids)}"]
  security_group_ids = ["${var.security_group_ids}"]
}

AWS Lambda VPC on Terraform

2 Answers