Deploying API Gateway and Lambda Integration using Terraform

Question

I am trying to create Lambda function using Terraform. There is no permission issue.

Plan: 7 to add, 0 to change, 0 to destroy.
aws_api_gateway_rest_api.test-rest-api: Creating...
aws_iam_role.test-lambda-role: Creating...
aws_lambda_function.test-lambda: Creating...
aws_api_gateway_rest_api.test-rest-api: Creation complete after 0s [id=13hnx8sw80]
aws_api_gateway_resource.resource: Creating...
aws_iam_role.test-lambda-role: Creation complete after 1s [id=testroleLambda]
aws_api_gateway_resource.resource: Creation complete after 2s [id=yd8iyo]
aws_api_gateway_method.method: Creating...
aws_api_gateway_method.method: Creation complete after 0s [id=agm-13hnx8sw80-yd8iyo-GET]
╷
│ Error: error creating Lambda Function (1): ValidationException:
│       status code: 400, request id: f769fb69-dbfe-4b8d-8321-e87c01eaffd9
│
│   with aws_lambda_function.test-lambda,
│   on main.tf line 41, in resource "aws_lambda_function" "test-lambda":
│   41:         resource "aws_lambda_function" "test-lambda" {

I tried to debug and it has the same info. There is nothing much.

export TF_LOG=TRACE terraform apply 2>&1 | tee apply.txt

As per this git page it's a known error. https://github.com/hashicorp/terraform-provider-aws/issues/13709 Has anyone got it resolved? I'm using Terraform v1.1.5 on linux_amd64

    # Lambda
resource "aws_lambda_permission" "test-lambda" {
  statement_id  = "AllowExecutionFromAPIGateway"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.test-lambda.function_name
  principal     = "apigateway.amazonaws.com"
  source_arn = "arn:aws:execute-api:${var.region_name}:${var.accountId}:${aws_api_gateway_rest_api.test-rest-api.id}
}

resource "aws_lambda_function" "test-lambda" {
  filename      = "test-lambda.zip"
  function_name = "test-lambda"
  role = aws_iam_role.test-lambda-role.arn
  handler       = "test-lambda.lambda_handler"
  runtime       = "python3.8"
}

resource "aws_iam_role" "test-lambda-role" {
  name = "roleLambda"

  assume_role_policy = <<-POLICY
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "sts:AssumeRole",
        "Principal": {
          "Service": "lambda.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
      }
    ]
  }
  POLICY
}

Answer 1

I was able to successfully create the lambda function and IAM role resources;

# YOUR PROVIDER IS LIKELY DIFFERENT THAN MINE
provider "aws" {
region = "us-east-1"
access_key = "AAAABBBBCCCC"
secret_key = "DDDDDEEEFFFGGGGHHH"
allowed_account_ids = ["YOUR-AWS-ACCOUNT-ID"]
}

# I USE TERRAFORM CLOUD FOR BACKEND STATE FILE MGMT
# THIS IS LIKELY NOT RELEVANT TO YOU
terraform {
  backend "remote" {
    hostname    = "app.terraform.io"
    organization = "MYORG"

    workspaces {
      name = "testing"
    }
  }
}

#resource "aws_lambda_permission" "test-lambda" {
#  statement_id  = "AllowExecutionFromAPIGateway"
#  action        = "lambda:InvokeFunction"
#  function_name = aws_lambda_function.test-lambda.function_name
#  principal     = "apigateway.amazonaws.com"
#  source_arn = join("",["arn:aws:execute-api:",var.region_name,var.accountId,aws_api_gateway_rest_api.test-rest-api.id])
#}

resource "aws_lambda_function" "test-lambda" {
  filename      = "test-lambda.zip"
  function_name = "test-lambda"
  role = aws_iam_role.test-lambda-role.arn
  handler       = "test-lambda.lambda_handler"
  runtime       = "python3.8"
}

resource "aws_iam_role" "general" {
    name = "YOUR-ROLE-NAME"
    description = "YOUR-ROLE-DESCRIPTION"
    //managed_policy_arns = var.managed_policy_arns
    assume_role_policy = file("${path.module}/assume-role-policy.json")
    //tags = var.tags
}

resource "aws_iam_policy" "general" {
    name = "YOUR-POLICY-NAME"
    description = "YOUR-POLICY-DESCRIPTION"
    policy = file("${path.module}/role-policy.json")
}

resource "aws_iam_role_policy_attachment" "general" {
    role = aws_iam_role.general.name
    policy_arn = aws_iam_policy.general.arn
}

// CONTENTS OF POLICY ./assume-role-policy.json used in aws_iam_role resource:
{
    "Version": "2012-10-17",
    "Statement": [{
        "Action": "sts:AssumeRole",
        "Principal": {
            "Service": [
                "lambda.amazonaws.com",
                "apigateway.amazonaws.com"
            ]
        },
        "Effect": "Allow",
        "Sid": ""
    }]
}

// CONTENTS OF ROLE ./role-policy.json used in aws_iam_policy resource:
{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "ec2:*",
            "events:*",
            "cloudwatch:*",
            "logs:*",
            "ssm:*",
            "kms:*",
            "sns:*",
            "iam:GetPolicy",
            "iam:GetPolicyVersion",
            "iam:GetRole",
            "s3:*",
            "servicediscovery:*"
        ],
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": "iam:CreateServiceLinkedRole",
        "Resource": "arn:aws:iam::*:role/aws-service-role/events.amazonaws.com/AWSServiceRoleForCloudWatchEvents*",
        "Condition": {
            "StringLike": {
                "iam:AWSServiceName": "events.amazonaws.com"
            }
        }
    }]
}

Could you try to create just those lambda and IAM resources & see if you still get the same error? That would indicate there's an issue with the lambda permission resource or the API Gateway resource the permissions are referencing. I would still double check that your provider is set up properly with the correct region and aws account id. Just to rule that out. I've updated my answer to show how I typically manage IAM permissions with lambda. You can modify accordingly based on permissions you need.