【问题标题】:Deploying lambda in private subnet. Error creating Lambda Function (1): ValidationException status code: 400, request id在私有子网中部署 lambda。创建 Lambda 函数时出错 (1):ValidationException 状态码:400,请求 id
【发布时间】:2021-09-26 20:40:54
【问题描述】:

我正在尝试使用 terraform 将 nodejs lambda zip 文件部署到私有子网自定义 vpc 中。 terraform 计划运行良好。但是在应用更改时会引发错误。角色已创建,但 terraform lambda 未部署并在一分钟内出错。错误是: “创建 Lambda 函数时出错 (1): ValidationException: 状态码: 400, request id...”
此 lambda 将由 cloud watch-event 调用。

与 VPC 角色有什么关系?

//calling module
module "lambda" {

  providers = {
    aws.programmatic = aws.programmatic

  }
  
  source                         = "../modules/lambda"
  description                    = var.description
  filename                       = "${path.module}/filename.zip}"
  function_name                  = "rfcsyncfunc" 
  handler                        = "index.handler"
  memory_size                    = 512
  publish                        = false
  reserved_concurrent_executions = 20
  runtime                        = "nodejs14.x"
  source_code_hash               =  filebase64sha256(var.filename)
  timeout                        = 90
  
    vpc_config = {
    security_group_ids = ["sg-123456789"]  
    subnet_ids         = ["xx.xx.xxx.xxx/27","xx.xx.xx.xx/27"]  //["subnet-1", "subnet-2"]
  }

  environment = {
    variables = {
      TEST1API_URL  = "https://example.com/test.asmx"
      TEST2API_URL  = "https://example.com/test/staging/test2.asmx"
     
    }
  }


}


//lambda module
provider aws {
  alias = "programmatic"
}

resource "aws_lambda_function" "lambda" {
  description = var.description
  dynamic "environment" {
    for_each = length(var.environment) < 1 ? [] : [var.environment]
    content {
      variables = environment.value.variables
    }
  }
  filename                       = var.s3_bucket == "" ? var.filename : null
  function_name                  = var.function_name
  handler                        = var.handler
  memory_size                    = var.memory_size
  publish                        = var.publish
  reserved_concurrent_executions = var.reserved_concurrent_executions
  role                           = aws_iam_role.lambda.arn
  runtime                        = var.runtime
  source_code_hash               = var.source_code_hash
  tags                           = var.tags
  timeout                        = var.timeout

  dynamic "vpc_config" {
    for_each = length(var.vpc_config) < 1 ? [] : [var.vpc_config]
    content {
      security_group_ids = vpc_config.value.security_group_ids
      subnet_ids         = vpc_config.value.subnet_ids
    }
  }
}

data "aws_iam_policy_document" "assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["lambda.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "lambda" {
  name               = "${var.function_name}-lambdarole"
  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
  permissions_boundary = var.permissions_boundary
}

resource "aws_iam_role_policy_attachment" "cloudwatch_logs" {
  role       = aws_iam_role.lambda.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}

resource "aws_iam_role_policy_attachment" "vpc_eniattachment" {
  count = length(var.vpc_config) < 1 ? 0 : 1
  role  = aws_iam_role.lambda.name  
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaENIManagementAccess"
}

/*
resource "aws_iam_role_policy_attachment" "vpc_attachment" {
  count = length(var.vpc_config) < 1 ? 0 : 1
  role  = aws_iam_role.lambda.name  
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
*/

module/clouwatchevent

resource "aws_lambda_permission" "cloudwatch" {
  count         = var.enable ? 1 : 0
  statement_id  = "AllowExecutionFromCloudWatch"
  action        = "lambda:InvokeFunction"
  function_name = var.lambda_function_arn
  principal     = "events.amazonaws.com"
  source_arn    = aws_cloudwatch_event_rule.lambda[count.index].arn
}

resource "aws_cloudwatch_event_rule" "lambda" {
  count               = var.enable ? 1 : 0
  description         = var.description
  event_pattern       = var.event_pattern
  is_enabled          = var.is_enabled
  name                = var.name
  name_prefix         = var.name_prefix
  schedule_expression = var.schedule_expression
}

resource "aws_cloudwatch_event_target" "lambda" {
  count = var.enable ? 1 : 0
  rule  = aws_cloudwatch_event_rule.lambda[count.index].name
  arn   = var.lambda_function_arn
}

【问题讨论】:

  • 只有私有子网的问题?它是否部署在公共子网中?
  • @john 默认情况下所有子网都附加到 igw。所以从技术上讲,所有这些都是公开的。只是他们没有暴露。
  • 你能澄清一下你的意思吗?子网可以是公有的,也可以是私有的。没有其他类型。
  • 是的。你说的对。只是它们没有从防火墙端暴露出来,没有 NAT。上述错误并未暗示根本原因。此外,terraform 调试不显示任何详细日志。你认为问题与它是私有的还是公共的有关?
  • cloudwatch 事件的 lambda 调用权限如何?

标签: amazon-web-services aws-lambda terraform amazon-iam amazon-vpc


【解决方案1】:

只是分享我的案例,希望能节省其他人的时间。我从环境变量键名中删除了连字符,它可以工作。从KEY-NAMEKEY_NAME。我看到有些人也通过删除函数名称中的点等字符来解决。 ValidationException 错误信息非常模糊。

【讨论】:

    猜你喜欢
    • 2021-07-06
    • 2021-02-22
    • 1970-01-01
    • 1970-01-01
    • 2021-05-13
    • 2019-07-28
    • 2022-12-11
    • 2020-12-13
    • 2017-06-19
    相关资源
    最近更新 更多