Home > Blockchain >  Deploying API Gateway and Lambda Integration using Terraform
Deploying API Gateway and Lambda Integration using Terraform

Time:02-16

I am trying to create Lambda function using Terraform. There is no permission issue.

Plan: 7 to add, 0 to change, 0 to destroy.
aws_api_gateway_rest_api.test-rest-api: Creating...
aws_iam_role.test-lambda-role: Creating...
aws_lambda_function.test-lambda: Creating...
aws_api_gateway_rest_api.test-rest-api: Creation complete after 0s [id=13hnx8sw80]
aws_api_gateway_resource.resource: Creating...
aws_iam_role.test-lambda-role: Creation complete after 1s [id=testroleLambda]
aws_api_gateway_resource.resource: Creation complete after 2s [id=yd8iyo]
aws_api_gateway_method.method: Creating...
aws_api_gateway_method.method: Creation complete after 0s [id=agm-13hnx8sw80-yd8iyo-GET]
╷
│ Error: error creating Lambda Function (1): ValidationException:
│       status code: 400, request id: f769fb69-dbfe-4b8d-8321-e87c01eaffd9
│
│   with aws_lambda_function.test-lambda,
│   on main.tf line 41, in resource "aws_lambda_function" "test-lambda":
│   41:         resource "aws_lambda_function" "test-lambda" {

I tried to debug and it has the same info. There is nothing much.

export TF_LOG=TRACE terraform apply 2>&1 | tee apply.txt

As per this git page it's a known error. https://github.com/hashicorp/terraform-provider-aws/issues/13709 Has anyone got it resolved? I'm using Terraform v1.1.5 on linux_amd64

    # Lambda
resource "aws_lambda_permission" "test-lambda" {
  statement_id  = "AllowExecutionFromAPIGateway"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.test-lambda.function_name
  principal     = "apigateway.amazonaws.com"
  source_arn = "arn:aws:execute-api:${var.region_name}:${var.accountId}:${aws_api_gateway_rest_api.test-rest-api.id}
}

resource "aws_lambda_function" "test-lambda" {
  filename      = "test-lambda.zip"
  function_name = "test-lambda"
  role = aws_iam_role.test-lambda-role.arn
  handler       = "test-lambda.lambda_handler"
  runtime       = "python3.8"
}

resource "aws_iam_role" "test-lambda-role" {
  name = "roleLambda"

  assume_role_policy = <<-POLICY
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "sts:AssumeRole",
        "Principal": {
          "Service": "lambda.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
      }
    ]
  }
  POLICY
}

CodePudding user response:

I was able to successfully create the lambda function and IAM role resources;

# YOUR PROVIDER IS LIKELY DIFFERENT THAN MINE
provider "aws" {
region = "us-east-1"
access_key = "AAAABBBBCCCC"
secret_key = "DDDDDEEEFFFGGGGHHH"
allowed_account_ids = ["YOUR-AWS-ACCOUNT-ID"]
}

# I USE TERRAFORM CLOUD FOR BACKEND STATE FILE MGMT
# THIS IS LIKELY NOT RELEVANT TO YOU
terraform {
  backend "remote" {
    hostname    = "app.terraform.io"
    organization = "MYORG"

    workspaces {
      name = "testing"
    }
  }
}

#resource "aws_lambda_permission" "test-lambda" {
#  statement_id  = "AllowExecutionFromAPIGateway"
#  action        = "lambda:InvokeFunction"
#  function_name = aws_lambda_function.test-lambda.function_name
#  principal     = "apigateway.amazonaws.com"
#  source_arn = join("",["arn:aws:execute-api:",var.region_name,var.accountId,aws_api_gateway_rest_api.test-rest-api.id])
#}

resource "aws_lambda_function" "test-lambda" {
  filename      = "test-lambda.zip"
  function_name = "test-lambda"
  role = aws_iam_role.test-lambda-role.arn
  handler       = "test-lambda.lambda_handler"
  runtime       = "python3.8"
}

resource "aws_iam_role" "test-lambda-role" {
  name = "roleLambda"

  assume_role_policy = <<-POLICY
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "sts:AssumeRole",
        "Principal": {
          "Service": "lambda.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
      }
    ]
  }
  POLICY
}

Output;

aws_iam_role.test-lambda-role: Creating...
aws_iam_role.test-lambda-role: Creation complete after 1s [id=roleLambda]
aws_lambda_function.test-lambda: Creating...
aws_lambda_function.test-lambda: Still creating... [10s elapsed]
aws_lambda_function.test-lambda: Creation complete after 13s [id=test-lambda]

Could you try to create just those 2 resources & see if you still get the same error? That would indicate there's an issue with the lambda permission resource or the API Gateway resource the permissions are referencing. I would still double check that your provider is set up properly with the correct region and aws account id. Just to rule that out. I've updated my answer to show all the terraform config I used to only create lambda & the IAM Role. Normally when I create a lambda function, I also add the aws_iam_policy resource along with the aws_iam_role_policy_attach resource. If you don't already have that, I would add that to your terraform config & try again.

  • Related