1

I am trying to create Lambda function using Terraform. There is no permission issue.

Plan: 7 to add, 0 to change, 0 to destroy.
aws_api_gateway_rest_api.test-rest-api: Creating...
aws_iam_role.test-lambda-role: Creating...
aws_lambda_function.test-lambda: Creating...
aws_api_gateway_rest_api.test-rest-api: Creation complete after 0s [id=13hnx8sw80]
aws_api_gateway_resource.resource: Creating...
aws_iam_role.test-lambda-role: Creation complete after 1s [id=testroleLambda]
aws_api_gateway_resource.resource: Creation complete after 2s [id=yd8iyo]
aws_api_gateway_method.method: Creating...
aws_api_gateway_method.method: Creation complete after 0s [id=agm-13hnx8sw80-yd8iyo-GET]
╷
│ Error: error creating Lambda Function (1): ValidationException:
│       status code: 400, request id: f769fb69-dbfe-4b8d-8321-e87c01eaffd9
│
│   with aws_lambda_function.test-lambda,
│   on main.tf line 41, in resource "aws_lambda_function" "test-lambda":
│   41:         resource "aws_lambda_function" "test-lambda" {

I tried to debug and it has the same info. There is nothing much.

export TF_LOG=TRACE terraform apply 2>&1 | tee apply.txt

As per this git page it's a known error. https://github.com/hashicorp/terraform-provider-aws/issues/13709 Has anyone got it resolved? I'm using Terraform v1.1.5 on linux_amd64

    # Lambda
resource "aws_lambda_permission" "test-lambda" {
  statement_id  = "AllowExecutionFromAPIGateway"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.test-lambda.function_name
  principal     = "apigateway.amazonaws.com"
  source_arn = "arn:aws:execute-api:${var.region_name}:${var.accountId}:${aws_api_gateway_rest_api.test-rest-api.id}
}

resource "aws_lambda_function" "test-lambda" {
  filename      = "test-lambda.zip"
  function_name = "test-lambda"
  role = aws_iam_role.test-lambda-role.arn
  handler       = "test-lambda.lambda_handler"
  runtime       = "python3.8"
}

resource "aws_iam_role" "test-lambda-role" {
  name = "roleLambda"

  assume_role_policy = <<-POLICY
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "sts:AssumeRole",
        "Principal": {
          "Service": "lambda.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
      }
    ]
  }
  POLICY
}
Improve this question
3
  • 1
    What version of terraform are you using? Sharing your terraform resource config / code would be very useful in helping to find the problem. Sharing your verbose log still may be useful too. That error itself is a vague one. Maybe you're setting up your lambda in the wrong AWS Account or Region? In that known error link you shared, it looks like someone mentions that you can add --debug to the AWS CLI cmd equivalent to get the proper error msg. Commented Feb 15, 2022 at 14:05
  • The linked GH issue is only about making the error show a more informative error message rather than it being a "known error" - the error is a 400 Bad Request. If you include your TF and someone may be able to see what the issue is. Commented Feb 15, 2022 at 14:16
  • I have updated my initial post. I'm using Terraform v1.1.5 on linux_amd64. Thanks much. Commented Feb 15, 2022 at 14:33

1 Answer 1

Reset to default
2

I was able to successfully create the lambda function and IAM role resources;

# YOUR PROVIDER IS LIKELY DIFFERENT THAN MINE
provider "aws" {
region = "us-east-1"
access_key = "AAAABBBBCCCC"
secret_key = "DDDDDEEEFFFGGGGHHH"
allowed_account_ids = ["YOUR-AWS-ACCOUNT-ID"]
}

# I USE TERRAFORM CLOUD FOR BACKEND STATE FILE MGMT
# THIS IS LIKELY NOT RELEVANT TO YOU
terraform {
  backend "remote" {
    hostname    = "app.terraform.io"
    organization = "MYORG"

    workspaces {
      name = "testing"
    }
  }
}

#resource "aws_lambda_permission" "test-lambda" {
#  statement_id  = "AllowExecutionFromAPIGateway"
#  action        = "lambda:InvokeFunction"
#  function_name = aws_lambda_function.test-lambda.function_name
#  principal     = "apigateway.amazonaws.com"
#  source_arn = join("",["arn:aws:execute-api:",var.region_name,var.accountId,aws_api_gateway_rest_api.test-rest-api.id])
#}

resource "aws_lambda_function" "test-lambda" {
  filename      = "test-lambda.zip"
  function_name = "test-lambda"
  role = aws_iam_role.test-lambda-role.arn
  handler       = "test-lambda.lambda_handler"
  runtime       = "python3.8"
}

resource "aws_iam_role" "general" {
    name = "YOUR-ROLE-NAME"
    description = "YOUR-ROLE-DESCRIPTION"
    //managed_policy_arns = var.managed_policy_arns
    assume_role_policy = file("${path.module}/assume-role-policy.json")
    //tags = var.tags
}

resource "aws_iam_policy" "general" {
    name = "YOUR-POLICY-NAME"
    description = "YOUR-POLICY-DESCRIPTION"
    policy = file("${path.module}/role-policy.json")
}

resource "aws_iam_role_policy_attachment" "general" {
    role = aws_iam_role.general.name
    policy_arn = aws_iam_policy.general.arn
}

// CONTENTS OF POLICY ./assume-role-policy.json used in aws_iam_role resource:
{
    "Version": "2012-10-17",
    "Statement": [{
        "Action": "sts:AssumeRole",
        "Principal": {
            "Service": [
                "lambda.amazonaws.com",
                "apigateway.amazonaws.com"
            ]
        },
        "Effect": "Allow",
        "Sid": ""
    }]
}

// CONTENTS OF ROLE ./role-policy.json used in aws_iam_policy resource:
{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "ec2:*",
            "events:*",
            "cloudwatch:*",
            "logs:*",
            "ssm:*",
            "kms:*",
            "sns:*",
            "iam:GetPolicy",
            "iam:GetPolicyVersion",
            "iam:GetRole",
            "s3:*",
            "servicediscovery:*"
        ],
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": "iam:CreateServiceLinkedRole",
        "Resource": "arn:aws:iam::*:role/aws-service-role/events.amazonaws.com/AWSServiceRoleForCloudWatchEvents*",
        "Condition": {
            "StringLike": {
                "iam:AWSServiceName": "events.amazonaws.com"
            }
        }
    }]
}

Could you try to create just those lambda and IAM resources & see if you still get the same error? That would indicate there's an issue with the lambda permission resource or the API Gateway resource the permissions are referencing. I would still double check that your provider is set up properly with the correct region and aws account id. Just to rule that out. I've updated my answer to show how I typically manage IAM permissions with lambda. You can modify accordingly based on permissions you need.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

I have 2 other files for variables (region & accountid). Can you post your Lambda code, let me try the same? I was able to create API only Lambda fails. Am I missing any other permission/role? Thanks.
I've updated my answer to show all the terraform config I used. I only tested the lambda resource creation along with the IAM Role Creation but normally with my lambda functions I also add the aws_iam_policy & aws_role_policy_attach
@pualg, I created an IAM user (btw, my provider is AWS) and used this user profile export AWS_PROFILE=myuser. I tried IAM user's access_key & secret_key, still received error 400. Is that because I do not have aws_iam_role_policy_attach policy? What does this policy do? I closed this session, logged in back and I did not export user profile this time. I took your code, used ec2-user's access_key & secret_key and it worked this time. I still want to use IAM user profile. Can you post the policies you used? Thanks a lot.
I think you mention about Resource: aws_iam_role_policy_attachment. I'm new to Terraform. registry.terraform.io/providers/hashicorp/aws/latest/docs/…
@Doc - I've updated my answer to reflect another way of managing your IAM permissions with Lambda & have included aws_iam_role_policy_attach resource so you can see how it's used.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.