[英]Terraform Cloud apply lambda function fails with ValidationException, AWS CLI lambda create-function with same parameters succeeds
When trying to run a Terraform apply in Terraform Cloud which attempts to create an AWS Lambda function resource, the apply fails with a nondescript ValidationException.当尝试在尝试创建 AWS Lambda function 资源的 Terraform 云中运行 Terraform 应用时,应用失败并出现无法描述的 ValidationException。 No other error is returned.
没有返回其他错误。 There is an issue in terraform-provider-aws addressing this problem.
terraform-provider-aws 中有一个问题解决了这个问题。
This is the Terraform code describing the function:这是描述 function 的 Terraform 代码:
module "lambda" {
source = "terraform-aws-modules/lambda/aws"
version = "~> 4.7"
function_name = "${module.this.s3_bucket_id}-to-cloudwatch"
handler = "index.handler"
runtime = "nodejs12.x"
timeout = 60
create_package = false
local_existing_package = "${path.module}/assets/code.zip"
environment_variables = {
LOG_GROUP_NAME = aws_cloudwatch_log_group.log_group.name
LOAD_BALANCER_TYPE = var.load_balancer_type
}
allowed_triggers = {
S3EventPermission = {
principal = "s3.amazonaws.com"
source_arn = module.this.s3_bucket_arn
}
}
role_path = "/tf-managed/"
policy_path = "/tf-managed/"
attach_cloudwatch_logs_policy = true
attach_tracing_policy = true
tracing_mode = "active"
attach_policy_statements = true
policy_statements = {
describe_log_groups = {
effect = "Allow"
actions = ["logs:DescribeLogGroups"]
resources = ["*"]
}
create_logs = {
effect = "Allow"
actions = [
"logs:DescribeLogStreams",
"logs:CreateLogStream",
"logs:PutLogEvents",
]
resources = [aws_cloudwatch_log_group.log_group.arn]
}
get_logs = {
effect = "Allow"
actions = ["s3:GetObject"]
resources = ["${module.this.s3_bucket_arn}/*"]
}
}
}
This is the output of terraform plan
for the function:这是function的
terraform plan
的output:
# module.cluster_nlb.module.log_bucket.module.lambda.aws_lambda_function.this[0] will be created
+ resource "aws_lambda_function" "this" {
+ architectures = (known after apply)
+ arn = (known after apply)
+ filename = "../../../modules/lb-log-bucket-with-cloudwatch-export/assets/code.zip"
+ function_name = "nlb-access-logs-04916534-to-cloudwatch"
+ handler = "index.handler"
+ id = (known after apply)
+ invoke_arn = (known after apply)
+ last_modified = (known after apply)
+ memory_size = 128
+ package_type = "Zip"
+ publish = false
+ qualified_arn = (known after apply)
+ reserved_concurrent_executions = -1
+ role = "arn:aws:iam::585685634436:role/tf-managed/nlb-access-logs-04916534-to-cloudwatch"
+ runtime = "nodejs12.x"
+ signing_job_arn = (known after apply)
+ signing_profile_version_arn = (known after apply)
+ source_code_hash = "/pwL7Szm/wc/8dP8/Relzc8vy7nkAUQm9jtvgfWJa5c="
+ source_code_size = (known after apply)
+ tags_all = (known after apply)
+ timeout = 60
+ version = (known after apply)
+ environment {
+ variables = {
+ "LOAD_BALANCER_TYPE" = "network"
+ "LOG_GROUP_NAME" = "/aws/elb/network"
}
}
+ ephemeral_storage {
+ size = 512
}
+ tracing_config {
+ mode = "active"
}
}
The error as displayed in Terraform Cloud: Terraform Cloud 中显示的错误:
Error: error creating Lambda Function (1): ValidationException: status code: 400, request id: [...]
with module.cluster_alb.module.log_bucket.module.lambda.aws_lambda_function.this[0]
on .terraform/modules/cluster_alb.log_bucket.lambda/main.tf line 24, in resource "aws_lambda_function" "this":
resource "aws_lambda_function" "this" {
I've been trying to get a more detailed error by replicating the planned apply in an AWS CLI lambda create-function
command.我一直在尝试通过在 AWS CLI
lambda create-function
命令中复制计划的应用来获得更详细的错误。 The command completes and successfully creates the Lambda function however.但是,该命令完成并成功创建了 Lambda function。
This is the AWS CLI command:这是 AWS CLI 命令:
aws lambda create-function \
--zip-file fileb://../../../modules/lb-log-bucket-with-cloudwatch-export/assets/code.zip \
--function-name 'nlb-access-logs-04916534-to-cloudwatch' \
--handler 'index.handler' \
--memory-size '128' \
--package-type 'Zip' \
--no-publish \
--role 'arn:aws:iam::585685634436:role/tf-managed/nlb-access-logs-04916534-to-cloudwatch' \
--runtime 'nodejs12.x' \
--timeout '60' \
--environment 'Variables={LOG_GROUP_NAME=/aws/elb/network,LOAD_BALANCER_TYPE=network}' \
--tracing-config 'Mode=Active' \
--description '' \
--debug
I have not been able to identify any discrepancies between the AWS CLI command, or why the validation would fail in Terraform.我无法确定 AWS CLI 命令之间的任何差异,或者为什么验证会在 Terraform 中失败。
I had set tracing_mode = "active"
in the Terraform configuration, but passed --tracing-config 'Mode=Active'
to the AWS CLI.我在 Terraform 配置中设置
tracing_mode = "active"
,但将--tracing-config 'Mode=Active'
传递给了 AWS CLI。
Valid values for tracing_mode
are "PassThrough" and "Active". tracing_mode
的有效值为“PassThrough”和“Active”。 Note that the word "Active" must be capitalized.请注意,“Active”一词必须大写。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.