cloudposse / terraform-aws-lambda-function Goto Github PK

Describe the Bug

Getting below mentioned error:

╷
│ Error: Invalid for_each argument
│
│ on .terraform\modules\data_science_lambda.data_science_lambda\iam-role.tf line 89, in resource "aws_iam_role_policy_attachment" "custom":
│ 89: for_each = local.enabled ? local.custom_iam_policy_arns_map : {}
│ ├────────────────
│ │ local.custom_iam_policy_arns_map will be known only after apply
│ │ local.enabled is true
│
│ The "for_each" map includes keys derived from resource attributes that
│ cannot be determined until apply, and so Terraform cannot determine the
│ full set of keys that will identify the instances of this resource.
│
│ When working with unknown values in for_each, it's better to define the map
│ keys statically in your configuration and place apply-time results only in
│ the map values.
│
│ Alternatively, you could use the -target planning option to first apply
│ only the resources that the for_each value depends on, and then apply a
│ second time to fully converge.
╵

=====================================================

Expected Behavior

Policy should be created and alingned with Lambda role at runtime along with AWS Lambda function

Steps to Reproduce

Sample Code:

locals {
enabled = module.this.enabled
custom_iam_policy_arns = [ aws_iam_policy.custom_s3_policy.arn ]
s3_lambda_environment = var.abc_lambda_env == null ? null : { variables = var.abc_lambda_env }
}

data "aws_iam_policy_document" "custom_s3_policy" {
version = "2012-10-17"

statement {
actions = [
"s3:ListBucket"
]
resources = [
"arn:aws:s3:::${data.terraform_remote_state.abc_bucket_id.outputs.bucket_id}"
]
}

statement {
actions = [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecrets",
"secretsmanager:ListSecretVersionIds"
]
resources = [
"*"
]
}
}

resource "aws_iam_policy" "custom_s3_policy" {
name = "${module.this.id}-access-policy"
description = "Custom policy to allow access to one S3 bucket only."
policy = data.aws_iam_policy_document.custom_s3_policy.json
tags = module.this.tags
}

data "terraform_remote_state" "abc_bucket_id" {
backend = "s3"

config = {
bucket = var.abc_tfstate_bucket_name
key = var.abc_s3_bucket_key
region = "XXX"
}
}

module "abc_lambda" {
source = "cloudposse/lambda-function/aws"
version = "0.5.5"

enabled = true
function_name = "${module.this.id}"
description = "Lambda test."
s3_bucket = var.s3_lambda_s3_bucket
s3_key = var.s3_lambda_s3_key
runtime = var.s3_lambda_runtime
handler = var.s3_lambda_handler
lambda_environment = local.s3_lambda_environment
architectures = ["x86_64"]
memory_size = var.s3_lambda_memory_size
ephemeral_storage_size = var.s3_lambda_storage_size
timeout = var.s3_lambda_timeout
custom_iam_policy_arns = local.custom_iam_policy_arns
context = module.this.context
vpc_config = var.abc_lambda_vpc_config
}

resource "aws_lambda_permission" "allow_s3" {
statement_id = "AllowExecutionFromS3"
action = "lambda:InvokeFunction"
function_name = module.abc_lambda.function_name
principal = "s3.amazonaws.com"
source_arn = data.terraform_remote_state.abc_bucket_id.outputs.bucket_arn
}

Screenshots

No response

Environment

No response

Additional Context

No response

I was trying to connect lambda to VPC and it failed with the following error:

"The provided execution role does not have permissions to call CreateNetworkInterface on EC2"

The config simply had these additional lines:

  vpc_config = {
    security_group_ids = ["sg-xxxxxxxxxx"]
    subnet_ids         = data.terraform_remote_state.parent.outputs.vpc_private_subnet_ids
  }

I believe there's a typo at the following line as it should be var.vpc_config != null:

I haven't tested it though.

Temporarily resolved by adding VPC permissions through custom lambda policy.

I'm getting this error, but I have all the correct permissions I don't get it
Policy

ERROR

Describe the Bug

When running terraform plan (or apply), a declaration of this module throws the following warning:

│ Warning: Redundant ignore_changes element
│
│   on .terraform/modules/foo.lambda_changes/main.tf line 21, in resource "aws_lambda_function" "this":
│   21: resource "aws_lambda_function" "this" {
│
│ Adding an attribute name to ignore_changes tells Terraform to ignore future changes to the argument in configuration after the object has been created, retaining the value originally configured.
│
│ The attribute last_modified is decided by the provider alone and therefore there can be no configured value to compare with. Including this attribute in ignore_changes has no effect. Remove the attribute from ignore_changes to quiet this
│ warning.
│
│ (and one more similar warning elsewhere)

The error is coming from the lifecycle block at https://github.com/cloudposse/terraform-aws-lambda-function/blob/0.5.1/main.tf#L93-L95

lifecycle {
  ignore_changes = [last_modified]
}

Expected Behavior

When running terraform plan (or apply), a declaration of this module does not throw a "Redundant ignore_changes element" warning

Steps to Reproduce

In my case, I declared this module with s3_bucket and s3_key:

module "lambda_responses" {
  source  = "cloudposse/lambda-function/aws"
  version = "0.5.1"

  function_name = "${module.lambda_label.id}-test"
  attributes    = concat(module.lambda_label.attributes, ["test"])
  description   = "Yay lambdas"
  s3_bucket     = var.responses_lambda_s3_bucket
  s3_key        = var.responses_lambda_s3_key
  runtime       = var.responses_lambda_runtime
  handler       = var.responses_lambda_handler
  architectures = ["x86_64"]
  context       = module.lambda_label.context
}

Then ran terraform apply from the root module shown above.
The Lambda and related resources were created just fine, but the Terraform run ended with the "ignore_changes" warning.

Environment

Versions:

• Terraform v1.5.6
• module cloudposse/lambda-function/aws 0.5.1
• provider registry.terraform.io/hashicorp/aws v5.19.0
• provider registry.terraform.io/hashicorp/time v0.9.1

Additional Context

Root cause and the reason for the lifecycle block in the first place: hashicorp/terraform-provider-aws#29085

Describe the Bug

There is a permanent name change with aws_iam_role.this which is causing the resource to be recreated on every apply.

This is causing further issues with KMS permissions in the lambda function being revoked, including permissions to the default KMS key.

See serverless/examples#279 for context regarding KMS key

Expected Behavior

IAM role should not be constantly recreated.

Steps to Reproduce

Apply module, apply again.

Screenshots

No response

Environment

No response

Additional Context

No response

Found a bug? Maybe our Slack Community can help.

Describe the Bug

I was trying to use ignore_external_function_updates to set ignore on source changes and foudn that this variable is not used anywhere in the code.

Expected Behavior

It actually changes behaviour :)

Steps to Reproduce

• Set to true and see nothing changes

Environment (please complete the following information):

Anything that will help us triage the bug will help. Here are some ideas:

• OS: all
• Version 0.4.1

Additional Context

Add any other context about the problem here.

Found a bug? Maybe our Slack Community can help.

Describe the Bug

The terraform apply fails when using a custom policy. Example code:

module "documentdb_scheduler_policy" {
  source = "git::https://github.com/cloudposse/terraform-aws-iam-policy.git?ref=0.3.0"
  
  namespace          = var.project_name
  stage              = local.stage
  name               = "documentdb-scheduler-policy"
  iam_policy_enabled = true
  iam_policy_statements = {
    DocumentDB = {
      effect     = "Allow"
      actions    = ["rds:StartDBCluster", "rds:StopDBCluster"]
      resources  = [module.documentdb.arn]
      conditions = []
    }
  }
}

module "documentdb_scheduler_stop_lambda" {
  source = "git::https://github.com/cloudposse/terraform-aws-lambda-function.git?ref=0.3.6"

  namespace              = var.project_name
  stage                  = local.stage
  name                   = "documentdb-scheduler-stop"
  function_name          = "${module.label_documentdb_scheduler.id}-stop"
  handler                = "stop.lambda_handler"
  runtime                = "python3.8"
  filename               = "lambda/documentdb_scheduler/stop.zip"
  source_code_hash       = data.archive_file.documentdb_scheduler_stop.output_base64sha256
  custom_iam_policy_arns = [module.documentdb_scheduler_policy.policy_arn]
}

Error message:

╷
│ Error: Invalid for_each argument
│
│ on .terraform\modules\documentdb_scheduler_stop_lambda\iam-role.tf line 79, in resource "aws_iam_role_policy_attachment" "custom":
│ 79: for_each = local.enabled && length(var.custom_iam_policy_arns) > 0 ? var.custom_iam_policy_arns : toset([])
│ ├────────────────
│ │ local.enabled is true
│ │ var.custom_iam_policy_arns is set of string with 1 element
│
│ The "for_each" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the
│ -target argument to first apply only the resources that the for_each depends on.
╵

Environment (please complete the following information):

Anything that will help us triage the bug will help. Here are some ideas:

• OS: Windows
• Version 10
• terraform 1.0.0

Please add an example that uses the EventBridge rules (CloudWatch Events)

Describe the Feature

There should be some variable to add permissions here.

Expected Behavior

I would expect to add permissions to the role.

Use Case

When trying to create the lambda on a VPC the following error happens:
The provided execution role does not have permissions to call CreateNetworkInterface on EC2

Attaching another policy to the lambda does not work since the attachment happens once we created lambda, and we need the CreateNetworkInterface at creation time.

Describe Ideal Solution

Some variable, to add permissions directly.

Alternatives Considered

Tried creating a policy and attaching it directly.

Additional Context

Describe the Bug

Using the following config:

data "archive_file" "lambda_zip_inline" {
  type        = "zip"
  output_path = "/tmp/lambda_zip_inline.zip"
  source {
    content  = <<EOF
module.exports.handler = async (event, context, callback) => {
  console.log('event:', event);
};
EOF
    filename = "index.js"
  }
}

module "test_lambda" {
  source           = "cloudposse/lambda-function/aws"
  version          = "0.3.2"
  lambda_at_edge   = true
  filename         = data.archive_file.lambda_zip_inline.output_path
  function_name    = "my-function"
  handler          = "index.handler"
  runtime          = "nodejs14.x"
  source_code_hash = data.archive_file.lambda_zip_inline.output_base64sha256
}

The deployment fails with the following error:

 Error: error creating Lambda Function (1): InvalidParameterValueException: The role defined for the function cannot be assumed by Lambda.
 {
   RespMetadata: {
     StatusCode: 400,
     RequestID: "333ee194-41b9-4dc4-80f9-dd2ae80f92d8"
   },
   Message_: "The role defined for the function cannot be assumed by Lambda.",
   Type: "User"
 }

   with module.test_lambda.aws_lambda_function.this[0],
   on .terraform/modules/test_lambda/main.tf line 12, in resource "aws_lambda_function" "this":
   12: resource "aws_lambda_function" "this" {

However if change this line in this module from

identifiers = var.lambda_at_edge ? ["edgelambda.amazonaws.com"] : ["lambda.amazonaws.com"]

to

identifiers = var.lambda_at_edge ? ["edgelambda.amazonaws.com", "lambda.amazonaws.com"] : ["lambda.amazonaws.com"]

The deployment works as expected

Expected Behavior

Deployment should succeed when setting lambda_at_edge = true

Environment:

• OS: OSX v12.3.1
• Terraform Version: v1.0.6
• AWS Provider Version: 4.13.0
• Archive Version: v2.2.0

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update terraform cloudposse/ecr/aws to v0.41.1

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

• chore(deps): update terraform cloudposse/cloudwatch-logs/aws to v0.6.8

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Describe the Feature

Allow additional policies for Lambda execution role.

Use Case

Allow Lambda execution role to access my S3 bucket: https://aws.amazon.com/premiumsupport/knowledge-center/lambda-execution-role-s3-bucket/

Describe Ideal Solution

At least, the module should output aws_iam_role.role.name using which one can attach policies.

Optionally, add list of aws_iam_policy.policy.arn as a var and attach those to the role.

Describe the Bug

The documentation for lambda_at_edge parameter states that:

Required trust relationship and publishing of function versions will be configured.

However, publish is not being set to true when lambda_at_edge is enabled.

Expected Behavior

publish is set to true.