Terraform lambda function validation exception

4
votes

I am trying to set up my current infrastructure in Terraform (v 0.13.0). I am simply starting with migrating existing lambda functions. I have used the following code to try upload an existing lambda function in .net core 3.1 to AWS (provider v. 3.0). I have no issue to deploy this manually but this is obviously not the goal.

Here is the IAM role:

resource "aws_iam_role" "role_lambda" {
  name = "roleLambda"

  assume_role_policy = <<POLICY
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "sts:AssumeRole",
        "Principal": {
          "Service": "lambda.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
      }
    ]
  }
  POLICY
  }

Below the function (note I have obfuscated some values):

resource "aws_lambda_function" "lambda_tf" {
  function_name     = "LambdaTFTest"
  role              = aws_iam_role.role_lambda.arn
  handler           = "Lambda::Lambda.Function::FunctionHandler"
  runtime           = "dotnetcore3.1"
  s3_bucket         = "arn:aws:s3:::xxxx-xxxxxx"
  s3_key            = "Lambda.zip"
  s3_object_version = "XxXxXxXxXxXxXxXxXxXxXxXxXxXx"
}

However I keep getting this error as an output with no more details:

Error: Error creating Lambda function: ValidationException: 
        status code: 400, request id: a5e89c38-d1f1-456d-93c1-41650fb45386

I already made sure that my lambda is deployed within the same region as the s3 bucket itself so this is not the issue. I thought this could be related to some invalid parameters but I have played with all of them and can't manage to find the problem. I have also double checked the correct spelling of the key, version and so on. How can I make progress on this ?

Thanks in advance for your help.

5
amazon-web-servicesaws-lambdaterraformterraform-provider-aws
Open AWS console, navigate to CloudFormation->Stacks and check why your lambda stack is not executed properly.Traycho Ivanov

5 Answers

1
votes

The aws_iam_role has a syntax error. There is missing - in front of POLICY if you want it to keep it tabbed:

resource "aws_iam_role" "role_lambda" {
  name = "roleLambda"

  assume_role_policy = <<-POLICY
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "sts:AssumeRole",
        "Principal": {
          "Service": "lambda.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
      }
    ]
  }
  POLICY
}

In aws_lambda_function, the s3_bucket should be just bucket name, not its arn:

resource "aws_lambda_function" "lambda_tf" {
  function_name     = "LambdaTFTest"
  role              = aws_iam_role.role_lambda.arn
  handler           = "Lambda::Lambda.Function::FunctionHandler"
  runtime           = "dotnetcore3.1"
  s3_bucket         = "xxxx-xxxxxx" 
  s3_key            = "Lambda.zip"
  s3_object_version = "XxXxXxXxXxXxXxXxXxXxXxXxXxXx"
}
0
votes

This comes down to one of the parameters being passed in being invalid.

Ensure that the Lambda name is unique, the S3 bucket and key exist and that the IAM role has the assume role policy when it’s attached.

The runtime is correct, everything else is user defined so would need you to validate.

Try using filename property instead of S3 (this will use local disk instead of S3). Does that work? If so it might be S3 permissions.

If you verify everything and it’s still not working the best suggestion would be to raise with AWS support providing the request ID.

0
votes

For those who might have run into the same issue, it might help to try formatting your main.tf file by converting all spaces to tabs.

If you're using vscode, there is a tab below to convert this, depends if spaces or tabs

Below:

enter image description here

Convert Indentation to Tabs: enter image description here

This fixed the issue for me.

0
votes

It could really be any of the parameters you pass to lambda resource. In my case I said the timeout was "900000" instead of 900. I assumed it to be in ms for some reason.

0
votes

I actually got the same error when using a docker image. The fix here is to set the package_type = "Image"