AWS Lambda VPC on Terraform

Question

When creating an AWS Lambda Function with terraform 0.9.3, I'm failing to make it join my selected VPC.

This is how my function looks like:

resource "aws_lambda_function" "lambda_function" {
   s3_bucket        = "${var.s3_bucket}"
   s3_key           = "${var.s3_key}"
   function_name    = "${var.function_name}"
   role             = "${var.role_arn}"
   handler          = "${var.handler}"

   runtime          = "${var.runtime}"
   timeout          = "30"
   memory_size      = 256
   publish          = true

   vpc_config {
       subnet_ids = ["${var.subnet_ids}"]
       security_group_ids = ["${var.security_group_ids}"]
   }
 }

The policy I'm using for the role is

 data "aws_iam_policy_document" "lambda-policy_policy_document" {
       statement {
            effect = "Allow"
            actions = [
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeSubnets",
            "ec2:DescribeVpcs",
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents",
            "ec2:CreateNetworkInterface",
            "ec2:DescribeNetworkInterfaces",
            "ec2:DeleteNetworkInterface"
        ]
        resources = ["*"]
     }
 }

The resources are created just fine, if I try to add the VPC and the subnets via the AWS console it all works out.

Update (creation plan):

module.******.aws_lambda_function.lambda_function
arn:                                 "<computed>"
environment.#:                       "1"
environment.0.variables.%:           "1"
environment.0.variables.environment: "******"
function_name:                       "******"
handler:                             "******"
last_modified:                       "<computed>"
memory_size:                         "256"
publish:                             "true"
qualified_arn:                       "<computed>"
role:                                "******"
runtime:                             "******"
s3_bucket:                           "******"
s3_key:                              "******"
source_code_hash:                    "<computed>"
timeout:                             "30"
version:                             "<computed>"
vpc_config.#:                        "1"
vpc_config.0.vpc_id:                 "<computed>"

Though, if I run terraform plan again, the VPC config is always changed.

vpc_config.#: "0" => "1" (forces new resource)

Answer 1

I think the value of subnet_ids is like this: "subnet-xxxxx,subnet-yyyyy,subnet-zzzzz" and it take it as single subnet instead of list. You can fix this problem like this:

vpc_config {
  subnet_ids = ["${split(",", var.subnet_ids)}"]
  security_group_ids = ["${var.security_group_ids}"]
}