cloudposse / terraform-aws-lambda-function Goto Github PK
View Code? Open in Web Editor NEWA module for launching Lambda Fuctions
Home Page: https://cloudposse.com/accelerate
License: Apache License 2.0
A module for launching Lambda Fuctions
Home Page: https://cloudposse.com/accelerate
License: Apache License 2.0
Getting below mentioned error:
╷
│ Error: Invalid for_each argument
│
│ on .terraform\modules\data_science_lambda.data_science_lambda\iam-role.tf line 89, in resource "aws_iam_role_policy_attachment" "custom":
│ 89: for_each = local.enabled ? local.custom_iam_policy_arns_map : {}
│ ├────────────────
│ │ local.custom_iam_policy_arns_map will be known only after apply
│ │ local.enabled is true
│
│ The "for_each" map includes keys derived from resource attributes that
│ cannot be determined until apply, and so Terraform cannot determine the
│ full set of keys that will identify the instances of this resource.
│
│ When working with unknown values in for_each, it's better to define the map
│ keys statically in your configuration and place apply-time results only in
│ the map values.
│
│ Alternatively, you could use the -target planning option to first apply
│ only the resources that the for_each value depends on, and then apply a
│ second time to fully converge.
╵
=====================================================
Policy should be created and alingned with Lambda role at runtime along with AWS Lambda function
Sample Code:
locals {
enabled = module.this.enabled
custom_iam_policy_arns = [ aws_iam_policy.custom_s3_policy.arn ]
s3_lambda_environment = var.abc_lambda_env == null ? null : { variables = var.abc_lambda_env }
}
data "aws_iam_policy_document" "custom_s3_policy" {
version = "2012-10-17"
statement {
actions = [
"s3:ListBucket"
]
resources = [
"arn:aws:s3:::${data.terraform_remote_state.abc_bucket_id.outputs.bucket_id}"
]
}
statement {
actions = [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecrets",
"secretsmanager:ListSecretVersionIds"
]
resources = [
"*"
]
}
}
resource "aws_iam_policy" "custom_s3_policy" {
name = "${module.this.id}-access-policy"
description = "Custom policy to allow access to one S3 bucket only."
policy = data.aws_iam_policy_document.custom_s3_policy.json
tags = module.this.tags
}
data "terraform_remote_state" "abc_bucket_id" {
backend = "s3"
config = {
bucket = var.abc_tfstate_bucket_name
key = var.abc_s3_bucket_key
region = "XXX"
}
}
module "abc_lambda" {
source = "cloudposse/lambda-function/aws"
version = "0.5.5"
enabled = true
function_name = "${module.this.id}"
description = "Lambda test."
s3_bucket = var.s3_lambda_s3_bucket
s3_key = var.s3_lambda_s3_key
runtime = var.s3_lambda_runtime
handler = var.s3_lambda_handler
lambda_environment = local.s3_lambda_environment
architectures = ["x86_64"]
memory_size = var.s3_lambda_memory_size
ephemeral_storage_size = var.s3_lambda_storage_size
timeout = var.s3_lambda_timeout
custom_iam_policy_arns = local.custom_iam_policy_arns
context = module.this.context
vpc_config = var.abc_lambda_vpc_config
}
resource "aws_lambda_permission" "allow_s3" {
statement_id = "AllowExecutionFromS3"
action = "lambda:InvokeFunction"
function_name = module.abc_lambda.function_name
principal = "s3.amazonaws.com"
source_arn = data.terraform_remote_state.abc_bucket_id.outputs.bucket_arn
}
No response
No response
No response
I was trying to connect lambda to VPC and it failed with the following error:
"The provided execution role does not have permissions to call CreateNetworkInterface on EC2"
The config simply had these additional lines:
vpc_config = {
security_group_ids = ["sg-xxxxxxxxxx"]
subnet_ids = data.terraform_remote_state.parent.outputs.vpc_private_subnet_ids
}
I believe there's a typo at the following line as it should be var.vpc_config != null
:
terraform-aws-lambda-function/iam-role.tf
Line 35 in cb734da
I haven't tested it though.
Temporarily resolved by adding VPC permissions through custom lambda policy.
When running terraform plan
(or apply
), a declaration of this module throws the following warning:
│ Warning: Redundant ignore_changes element
│
│ on .terraform/modules/foo.lambda_changes/main.tf line 21, in resource "aws_lambda_function" "this":
│ 21: resource "aws_lambda_function" "this" {
│
│ Adding an attribute name to ignore_changes tells Terraform to ignore future changes to the argument in configuration after the object has been created, retaining the value originally configured.
│
│ The attribute last_modified is decided by the provider alone and therefore there can be no configured value to compare with. Including this attribute in ignore_changes has no effect. Remove the attribute from ignore_changes to quiet this
│ warning.
│
│ (and one more similar warning elsewhere)
The error is coming from the lifecycle
block at https://github.com/cloudposse/terraform-aws-lambda-function/blob/0.5.1/main.tf#L93-L95
lifecycle {
ignore_changes = [last_modified]
}
When running terraform plan
(or apply
), a declaration of this module does not throw a "Redundant ignore_changes element" warning
In my case, I declared this module with s3_bucket
and s3_key
:
module "lambda_responses" {
source = "cloudposse/lambda-function/aws"
version = "0.5.1"
function_name = "${module.lambda_label.id}-test"
attributes = concat(module.lambda_label.attributes, ["test"])
description = "Yay lambdas"
s3_bucket = var.responses_lambda_s3_bucket
s3_key = var.responses_lambda_s3_key
runtime = var.responses_lambda_runtime
handler = var.responses_lambda_handler
architectures = ["x86_64"]
context = module.lambda_label.context
}
Then ran terraform apply
from the root module shown above.
The Lambda and related resources were created just fine, but the Terraform run ended with the "ignore_changes" warning.
Versions:
Root cause and the reason for the lifecycle
block in the first place: hashicorp/terraform-provider-aws#29085
There is a permanent name change with aws_iam_role.this
which is causing the resource to be recreated on every apply.
This is causing further issues with KMS permissions in the lambda function being revoked, including permissions to the default KMS key.
See serverless/examples#279 for context regarding KMS key
IAM role should not be constantly recreated.
Apply module, apply again.
No response
No response
No response
Found a bug? Maybe our Slack Community can help.
I was trying to use ignore_external_function_updates
to set ignore on source changes and foudn that this variable is not used anywhere in the code.
It actually changes behaviour :)
true
and see nothing changesAnything that will help us triage the bug will help. Here are some ideas:
Add any other context about the problem here.
Found a bug? Maybe our Slack Community can help.
The terraform apply fails when using a custom policy. Example code:
module "documentdb_scheduler_policy" {
source = "git::https://github.com/cloudposse/terraform-aws-iam-policy.git?ref=0.3.0"
namespace = var.project_name
stage = local.stage
name = "documentdb-scheduler-policy"
iam_policy_enabled = true
iam_policy_statements = {
DocumentDB = {
effect = "Allow"
actions = ["rds:StartDBCluster", "rds:StopDBCluster"]
resources = [module.documentdb.arn]
conditions = []
}
}
}
module "documentdb_scheduler_stop_lambda" {
source = "git::https://github.com/cloudposse/terraform-aws-lambda-function.git?ref=0.3.6"
namespace = var.project_name
stage = local.stage
name = "documentdb-scheduler-stop"
function_name = "${module.label_documentdb_scheduler.id}-stop"
handler = "stop.lambda_handler"
runtime = "python3.8"
filename = "lambda/documentdb_scheduler/stop.zip"
source_code_hash = data.archive_file.documentdb_scheduler_stop.output_base64sha256
custom_iam_policy_arns = [module.documentdb_scheduler_policy.policy_arn]
}
Error message:
╷
│ Error: Invalid for_each argument
│
│ on .terraform\modules\documentdb_scheduler_stop_lambda\iam-role.tf line 79, in resource "aws_iam_role_policy_attachment" "custom":
│ 79: for_each = local.enabled && length(var.custom_iam_policy_arns) > 0 ? var.custom_iam_policy_arns : toset([])
│ ├────────────────
│ │ local.enabled is true
│ │ var.custom_iam_policy_arns is set of string with 1 element
│
│ The "for_each" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the
│ -target argument to first apply only the resources that the for_each depends on.
╵
Anything that will help us triage the bug will help. Here are some ideas:
Please add an example that uses the EventBridge rules (CloudWatch Events)
There should be some variable to add permissions here.
I would expect to add permissions to the role.
When trying to create the lambda on a VPC the following error happens:
The provided execution role does not have permissions to call CreateNetworkInterface on EC2
Attaching another policy to the lambda does not work since the attachment happens once we created lambda, and we need the CreateNetworkInterface
at creation time.
Some variable, to add permissions directly.
Tried creating a policy and attaching it directly.
Using the following config:
data "archive_file" "lambda_zip_inline" {
type = "zip"
output_path = "/tmp/lambda_zip_inline.zip"
source {
content = <<EOF
module.exports.handler = async (event, context, callback) => {
console.log('event:', event);
};
EOF
filename = "index.js"
}
}
module "test_lambda" {
source = "cloudposse/lambda-function/aws"
version = "0.3.2"
lambda_at_edge = true
filename = data.archive_file.lambda_zip_inline.output_path
function_name = "my-function"
handler = "index.handler"
runtime = "nodejs14.x"
source_code_hash = data.archive_file.lambda_zip_inline.output_base64sha256
}
The deployment fails with the following error:
Error: error creating Lambda Function (1): InvalidParameterValueException: The role defined for the function cannot be assumed by Lambda.
{
RespMetadata: {
StatusCode: 400,
RequestID: "333ee194-41b9-4dc4-80f9-dd2ae80f92d8"
},
Message_: "The role defined for the function cannot be assumed by Lambda.",
Type: "User"
}
with module.test_lambda.aws_lambda_function.this[0],
on .terraform/modules/test_lambda/main.tf line 12, in resource "aws_lambda_function" "this":
12: resource "aws_lambda_function" "this" {
However if change this line in this module from
identifiers = var.lambda_at_edge ? ["edgelambda.amazonaws.com"] : ["lambda.amazonaws.com"]
to
identifiers = var.lambda_at_edge ? ["edgelambda.amazonaws.com", "lambda.amazonaws.com"] : ["lambda.amazonaws.com"]
The deployment works as expected
Deployment should succeed when setting lambda_at_edge = true
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.
examples/complete/main.tf
cloudposse/label/null 0.25.0
examples/complete/providers.tf
examples/complete/versions.tf
aws >= 3.0
hashicorp/terraform >= 0.14
examples/docker-image/main.tf
cloudposse/ecr/aws 0.34.0
cloudposse/label/null 0.25.0
examples/docker-image/providers.tf
examples/docker-image/versions.tf
aws >= 3.0
hashicorp/terraform >= 0.14
main.tf
cloudposse/cloudwatch-logs/aws 0.6.6
versions.tf
aws >= 3.0
hashicorp/terraform >= 0.14
Allow additional policies for Lambda execution role.
Allow Lambda execution role to access my S3 bucket: https://aws.amazon.com/premiumsupport/knowledge-center/lambda-execution-role-s3-bucket/
At least, the module should output aws_iam_role.role.name
using which one can attach policies.
Optionally, add list of aws_iam_policy.policy.arn
as a var and attach those to the role.
The documentation for lambda_at_edge
parameter states that:
Required trust relationship and publishing of function versions will be configured.
However, publish
is not being set to true
when lambda_at_edge
is enabled.
publish
is set to true
.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.