2
votes

I am trying to create a Lambda role and attach it a policy to Allow all ElasticSearch cluster operations.

Below is the code -

resource "aws_iam_role" "lambda_iam" {
  name = "lambda_iam"
  assume_role_policy = <<EOF
  {
    "Version": "2012-10-17",
    "Statement": [{
            "Action": [
                "es:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }]
  }
EOF
}

resource "aws_lambda_function" "developmentlambda" {
  filename      = "lambda_function.zip"
  function_name = "name"
  role          = "${aws_iam_role.lambda_iam.arn}"
  handler       = "exports.handler"

  source_code_hash = "${filebase64sha256("lambda_function.zip")}"

  runtime = "nodejs10.x"
}

I get the following error

Error creating IAM Role lambda_iam: MalformedPolicyDocument: Has prohibited field Resource

The Terraform document regarding Resource says you can specify a "*" for ALL users. The Principal field is not mandatory either so thats not the problem. I still changed it to be

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "es.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

But that said -

Error creating Lambda function: InvalidParameterValueException: The role defined for the function cannot be assumed by Lambda.

My lambda function definition is simple

resource "aws_lambda_function" "development_lambda" {
  filename      = "dev_lambda_function.zip"
  function_name = "dev_lambda_function_name"
  role          = "${aws_iam_role.lambda_iam.arn}"
  handler       = "exports.test"

  source_code_hash = "${filebase64sha256("dev_lambda_function.zip")}"

  runtime = "nodejs10.x"
}

The lambda file itself has nothing in it but I do not know if that explains the error.

Is there something I am missing here ?

1

1 Answers

4
votes

The assume role policy is the role's trust policy (allowing the role to be assumed), not the role's permissions policy (what permissions the role grants to the assuming entity).

A Lambda execution role needs both types of policies.

The immediate error, that the "role defined for the function cannot be assumed by Lambda" is occurring because it needs "Principal": {"Service": "lambda.amazonaws.com"}, not es.amazonaws.com -- that goes in the permissions policy. I don't use terraform, but it looks like that might be resource "aws_iam_policy" based on https://www.terraform.io/docs/providers/aws/r/lambda_function.html, which I assume is the reference you are working from.