Terraform lambda function validation exception

Question

I am trying to set up my current infrastructure in Terraform (v 0.13.0). I am simply starting with migrating existing lambda functions. I have used the following code to try upload an existing lambda function in .net core 3.1 to AWS (provider v. 3.0). I have no issue to deploy this manually but this is obviously not the goal.

Here is the IAM role:

resource "aws_iam_role" "role_lambda" {
  name = "roleLambda"

  assume_role_policy = <<POLICY
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "sts:AssumeRole",
        "Principal": {
          "Service": "lambda.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
      }
    ]
  }
  POLICY
  }

Below the function (note I have obfuscated some values):

resource "aws_lambda_function" "lambda_tf" {
  function_name     = "LambdaTFTest"
  role              = aws_iam_role.role_lambda.arn
  handler           = "Lambda::Lambda.Function::FunctionHandler"
  runtime           = "dotnetcore3.1"
  s3_bucket         = "arn:aws:s3:::xxxx-xxxxxx"
  s3_key            = "Lambda.zip"
  s3_object_version = "XxXxXxXxXxXxXxXxXxXxXxXxXxXx"
}

However I keep getting this error as an output with no more details:

Error: Error creating Lambda function: ValidationException: 
        status code: 400, request id: a5e89c38-d1f1-456d-93c1-41650fb45386

I already made sure that my lambda is deployed within the same region as the s3 bucket itself so this is not the issue. I thought this could be related to some invalid parameters but I have played with all of them and can't manage to find the problem. I have also double checked the correct spelling of the key, version and so on. How can I make progress on this ?

Thanks in advance for your help.

Answer 1

The aws_iam_role has a syntax error. There is missing - in front of POLICY if you want it to keep it tabbed:

resource "aws_iam_role" "role_lambda" {
  name = "roleLambda"

  assume_role_policy = <<-POLICY
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "sts:AssumeRole",
        "Principal": {
          "Service": "lambda.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
      }
    ]
  }
  POLICY
}

In aws_lambda_function, the s3_bucket should be just bucket name, not its arn:

resource "aws_lambda_function" "lambda_tf" {
  function_name     = "LambdaTFTest"
  role              = aws_iam_role.role_lambda.arn
  handler           = "Lambda::Lambda.Function::FunctionHandler"
  runtime           = "dotnetcore3.1"
  s3_bucket         = "xxxx-xxxxxx" 
  s3_key            = "Lambda.zip"
  s3_object_version = "XxXxXxXxXxXxXxXxXxXxXxXxXxXx"
}

Answer 2

This issue is caused by low values of timeout or using role name instead of role ARN. I changed from:

role = aws_iam_role.lambda_role.name

to

role = aws_iam_role.lambda_role.arn

And the function deployment was successful.

Answer 3

This comes down to one of the parameters being passed in being invalid.

Ensure that the Lambda name is unique, the S3 bucket and key exist and that the IAM role has the assume role policy when it’s attached.

The runtime is correct, everything else is user defined so would need you to validate.

Try using filename property instead of S3 (this will use local disk instead of S3). Does that work? If so it might be S3 permissions.

If you verify everything and it’s still not working the best suggestion would be to raise with AWS support providing the request ID.

Answer 4

It could really be any of the parameters you pass to lambda resource. In my case I said the timeout was "900000" instead of 900. I assumed it to be in ms for some reason.

Answer 5

In my case it was the name of lambda function. I was using spacing and its not allowed.