我正在尝试使用terraform将nodejs lambda zip文件部署到私有子网自定义vpc中。地形图效果不错。但是在应用更改时抛出错误。创建了角色,但terraform lambda没有部署,并且在一分钟内出错。错误为:"创建Lambda函数(1(时出错:ValidationException:状态代码:400,请求id…">
此lambda将由云监视事件调用。
与VPC角色有关吗?
//calling module
module "lambda" {
providers = {
aws.programmatic = aws.programmatic
}
source = "../modules/lambda"
description = var.description
filename = "${path.module}/filename.zip}"
function_name = "rfcsyncfunc"
handler = "index.handler"
memory_size = 512
publish = false
reserved_concurrent_executions = 20
runtime = "nodejs14.x"
source_code_hash = filebase64sha256(var.filename)
timeout = 90
vpc_config = {
security_group_ids = ["sg-123456789"]
subnet_ids = ["xx.xx.xxx.xxx/27","xx.xx.xx.xx/27"] //["subnet-1", "subnet-2"]
}
environment = {
variables = {
TEST1API_URL = "https://example.com/test.asmx"
TEST2API_URL = "https://example.com/test/staging/test2.asmx"
}
}
}
//lambda module
provider aws {
alias = "programmatic"
}
resource "aws_lambda_function" "lambda" {
description = var.description
dynamic "environment" {
for_each = length(var.environment) < 1 ? [] : [var.environment]
content {
variables = environment.value.variables
}
}
filename = var.s3_bucket == "" ? var.filename : null
function_name = var.function_name
handler = var.handler
memory_size = var.memory_size
publish = var.publish
reserved_concurrent_executions = var.reserved_concurrent_executions
role = aws_iam_role.lambda.arn
runtime = var.runtime
source_code_hash = var.source_code_hash
tags = var.tags
timeout = var.timeout
dynamic "vpc_config" {
for_each = length(var.vpc_config) < 1 ? [] : [var.vpc_config]
content {
security_group_ids = vpc_config.value.security_group_ids
subnet_ids = vpc_config.value.subnet_ids
}
}
}
data "aws_iam_policy_document" "assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["lambda.amazonaws.com"]
}
}
}
resource "aws_iam_role" "lambda" {
name = "${var.function_name}-lambdarole"
assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
permissions_boundary = var.permissions_boundary
}
resource "aws_iam_role_policy_attachment" "cloudwatch_logs" {
role = aws_iam_role.lambda.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
resource "aws_iam_role_policy_attachment" "vpc_eniattachment" {
count = length(var.vpc_config) < 1 ? 0 : 1
role = aws_iam_role.lambda.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaENIManagementAccess"
}
/*
resource "aws_iam_role_policy_attachment" "vpc_attachment" {
count = length(var.vpc_config) < 1 ? 0 : 1
role = aws_iam_role.lambda.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
*/
module/clouwatchevent
resource "aws_lambda_permission" "cloudwatch" {
count = var.enable ? 1 : 0
statement_id = "AllowExecutionFromCloudWatch"
action = "lambda:InvokeFunction"
function_name = var.lambda_function_arn
principal = "events.amazonaws.com"
source_arn = aws_cloudwatch_event_rule.lambda[count.index].arn
}
resource "aws_cloudwatch_event_rule" "lambda" {
count = var.enable ? 1 : 0
description = var.description
event_pattern = var.event_pattern
is_enabled = var.is_enabled
name = var.name
name_prefix = var.name_prefix
schedule_expression = var.schedule_expression
}
resource "aws_cloudwatch_event_target" "lambda" {
count = var.enable ? 1 : 0
rule = aws_cloudwatch_event_rule.lambda[count.index].name
arn = var.lambda_function_arn
}
只是分享我的案例,希望能节省别人的时间。我删除了环境变量密钥名称中的连字符,它就起作用了。从KEY-NAME到KEY_NAME。我看到有些人也通过删除函数名称中的点等字符来解决问题。ValidationException错误消息相当模糊。