Terraform error "Provisioned Concurrency Configs cannot be applied to unpublished function versions" - how to solve?

Question

I attempted to create a Provisioned Concurrency Lambda like so:

locals {
  lambda_name = "mylambda"
  provisioned_concurrency = 10
}

module "mylambda-lambda" {
  source = "terraform-aws-modules/lambda/aws"
 
  function_name = "${var.environment_name}-${local.lambda_name}"
  // abriged config detailes
}


module "mylambda-alias" {
  source = "terraform-aws-modules/lambda/aws//modules/alias"
  name = local.lambda_name
  function_name = module.mylambda-lambda.this_lambda_function_name
}

resource "aws_lambda_provisioned_concurrency_config" "auth_authorizer" {
  function_name = module.mylambda-lambda.this_lambda_function_name
  provisioned_concurrent_executions = local.provisioned_concurrency
  qualifier = module.mylambda-alias.this_lambda_alias_name
}

It shows in the console that a qualifier (apparently, the alias) is set to $LATEST.

but with Concurrency setup I got an error

Error: error putting Lambda Provisioned Concurrency Config (<lambda name>): InvalidParameterValueException: Provisioned Concurrency Configs cannot be applied to unpublished function versions.
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "392f5609-086e-43f6-89af-a0ec0f7e3dc7"
  },
  Message_: "Provisioned Concurrency Configs cannot be applied to unpublished function versions.",
  Type: "User"
}

How this error can be avoided?

Answer 1

Here is my lambda of package_type image, sending logs onto cloudwatch configured with aws_lambda_provisioned_concurrency_config as well. Used publish = true in order to publish the lambda first and then implement provisioned concurrency.

resource "aws_iam_role" "iam_for_lambda" {
  name = var.lambda_name

  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Action = "sts:AssumeRole",
        Principal = {
          Service = "lambda.amazonaws.com"
        },
        Effect = "Allow"
      }
    ]
  })
}

resource "aws_lambda_function" "lambda-api-authorizer-resource" {
  function_name = var.lambda_name
  role          = aws_iam_role.iam_for_lambda.arn
  timeout       = 300
  package_type  = "Image"
  image_uri = "428505013290.dkr.ecr.us-east-1.amazonaws.com/foxcorp/gatekeeper:${var.image_tag}"
  memory_size = 512
  publish     = true
  environment {
    variables = {
      ENVIRONMENT = var.environment_name
    }
  }
  tags = {
    environment = var.environment_name
    team        = "api"
    service     = "lambda"
    tenant      = "all"
  }
}

resource "aws_cloudwatch_log_group" "lambda_api_authorizer_logs" {
  name              = "/aws/lambda/${aws_lambda_function.lambda-api-authorizer-resource.function_name}"
  retention_in_days = 30
  tags = {
    environment = var.environment_name
    team        = "api"
    tenant      = "all"
  }
}

resource "aws_iam_role_policy" "cloudwatch_lambda_policy" {
  name = format("%s-policy", var.lambda_name)
  role = aws_iam_role.iam_for_lambda.id
  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Action = [
          "logs:*"
        ],
        Effect   = "Allow",
        Resource = "${aws_cloudwatch_log_group.lambda_api_authorizer_logs.arn}*"
      }
    ]
  })
}

resource "aws_lambda_provisioned_concurrency_config" "lambda-api-authorizer-concurrency" {
  function_name                     = aws_lambda_function.lambda-api-authorizer-resource.function_name
  provisioned_concurrent_executions = 2
  qualifier                         = aws_lambda_function.lambda-api-authorizer-resource.version
}

Answer 2

As pointed out by @jellycsc, you need to publish a new version.

You are already using the terraform aws module for this, which accepts the flag publish

module "mylambda-lambda" {
  source = "terraform-aws-modules/lambda/aws"
  publish = true
 
  function_name = "${var.environment_name}-${local.lambda_name}"
  // abriged config detailes
}

full example here