【发布时间】:2021-09-26 20:40:54
【问题描述】:
我正在尝试使用 terraform 将 nodejs lambda zip 文件部署到私有子网自定义 vpc 中。
terraform 计划运行良好。但是在应用更改时会引发错误。角色已创建,但 terraform lambda 未部署并在一分钟内出错。错误是:
“创建 Lambda 函数时出错 (1): ValidationException: 状态码: 400, request id...”
此 lambda 将由 cloud watch-event 调用。
与 VPC 角色有什么关系?
//calling module
module "lambda" {
providers = {
aws.programmatic = aws.programmatic
}
source = "../modules/lambda"
description = var.description
filename = "${path.module}/filename.zip}"
function_name = "rfcsyncfunc"
handler = "index.handler"
memory_size = 512
publish = false
reserved_concurrent_executions = 20
runtime = "nodejs14.x"
source_code_hash = filebase64sha256(var.filename)
timeout = 90
vpc_config = {
security_group_ids = ["sg-123456789"]
subnet_ids = ["xx.xx.xxx.xxx/27","xx.xx.xx.xx/27"] //["subnet-1", "subnet-2"]
}
environment = {
variables = {
TEST1API_URL = "https://example.com/test.asmx"
TEST2API_URL = "https://example.com/test/staging/test2.asmx"
}
}
}
//lambda module
provider aws {
alias = "programmatic"
}
resource "aws_lambda_function" "lambda" {
description = var.description
dynamic "environment" {
for_each = length(var.environment) < 1 ? [] : [var.environment]
content {
variables = environment.value.variables
}
}
filename = var.s3_bucket == "" ? var.filename : null
function_name = var.function_name
handler = var.handler
memory_size = var.memory_size
publish = var.publish
reserved_concurrent_executions = var.reserved_concurrent_executions
role = aws_iam_role.lambda.arn
runtime = var.runtime
source_code_hash = var.source_code_hash
tags = var.tags
timeout = var.timeout
dynamic "vpc_config" {
for_each = length(var.vpc_config) < 1 ? [] : [var.vpc_config]
content {
security_group_ids = vpc_config.value.security_group_ids
subnet_ids = vpc_config.value.subnet_ids
}
}
}
data "aws_iam_policy_document" "assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["lambda.amazonaws.com"]
}
}
}
resource "aws_iam_role" "lambda" {
name = "${var.function_name}-lambdarole"
assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
permissions_boundary = var.permissions_boundary
}
resource "aws_iam_role_policy_attachment" "cloudwatch_logs" {
role = aws_iam_role.lambda.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
resource "aws_iam_role_policy_attachment" "vpc_eniattachment" {
count = length(var.vpc_config) < 1 ? 0 : 1
role = aws_iam_role.lambda.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaENIManagementAccess"
}
/*
resource "aws_iam_role_policy_attachment" "vpc_attachment" {
count = length(var.vpc_config) < 1 ? 0 : 1
role = aws_iam_role.lambda.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
*/
module/clouwatchevent
resource "aws_lambda_permission" "cloudwatch" {
count = var.enable ? 1 : 0
statement_id = "AllowExecutionFromCloudWatch"
action = "lambda:InvokeFunction"
function_name = var.lambda_function_arn
principal = "events.amazonaws.com"
source_arn = aws_cloudwatch_event_rule.lambda[count.index].arn
}
resource "aws_cloudwatch_event_rule" "lambda" {
count = var.enable ? 1 : 0
description = var.description
event_pattern = var.event_pattern
is_enabled = var.is_enabled
name = var.name
name_prefix = var.name_prefix
schedule_expression = var.schedule_expression
}
resource "aws_cloudwatch_event_target" "lambda" {
count = var.enable ? 1 : 0
rule = aws_cloudwatch_event_rule.lambda[count.index].name
arn = var.lambda_function_arn
}
【问题讨论】:
-
只有私有子网的问题?它是否部署在公共子网中?
-
@john 默认情况下所有子网都附加到 igw。所以从技术上讲,所有这些都是公开的。只是他们没有暴露。
-
你能澄清一下你的意思吗?子网可以是公有的,也可以是私有的。没有其他类型。
-
是的。你说的对。只是它们没有从防火墙端暴露出来,没有 NAT。上述错误并未暗示根本原因。此外,terraform 调试不显示任何详细日志。你认为问题与它是私有的还是公共的有关?
-
cloudwatch 事件的 lambda 调用权限如何?
标签: amazon-web-services aws-lambda terraform amazon-iam amazon-vpc