15

I am trying to set up my current infrastructure in Terraform (v 0.13.0). I am simply starting with migrating existing lambda functions. I have used the following code to try upload an existing lambda function in .net core 3.1 to AWS (provider v. 3.0). I have no issue to deploy this manually but this is obviously not the goal.

Here is the IAM role:

resource "aws_iam_role" "role_lambda" {
  name = "roleLambda"

  assume_role_policy = <<POLICY
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "sts:AssumeRole",
        "Principal": {
          "Service": "lambda.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
      }
    ]
  }
  POLICY
  }

Below the function (note I have obfuscated some values):

resource "aws_lambda_function" "lambda_tf" {
  function_name     = "LambdaTFTest"
  role              = aws_iam_role.role_lambda.arn
  handler           = "Lambda::Lambda.Function::FunctionHandler"
  runtime           = "dotnetcore3.1"
  s3_bucket         = "arn:aws:s3:::xxxx-xxxxxx"
  s3_key            = "Lambda.zip"
  s3_object_version = "XxXxXxXxXxXxXxXxXxXxXxXxXxXx"
}

However I keep getting this error as an output with no more details:

Error: Error creating Lambda function: ValidationException: 
        status code: 400, request id: a5e89c38-d1f1-456d-93c1-41650fb45386

I already made sure that my lambda is deployed within the same region as the s3 bucket itself so this is not the issue. I thought this could be related to some invalid parameters but I have played with all of them and can't manage to find the problem. I have also double checked the correct spelling of the key, version and so on. How can I make progress on this ?

Thanks in advance for your help.

Improve this question
2
  • 1
    Open AWS console, navigate to CloudFormation->Stacks and check why your lambda stack is not executed properly. Commented Aug 15, 2020 at 21:16
  • 4
    Since this is Terraform, it won't appear in the CloudFormation console. Commented Aug 18, 2021 at 18:45

11 Answers 11

Reset to default
10

This issue is caused by low values of timeout or using role name instead of role ARN. I changed from:

role = aws_iam_role.lambda_role.name

to

role = aws_iam_role.lambda_role.arn

And the function deployment was successful.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

5

The aws_iam_role has a syntax error. There is missing - in front of POLICY if you want it to keep it tabbed:

resource "aws_iam_role" "role_lambda" {
  name = "roleLambda"

  assume_role_policy = <<-POLICY
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "sts:AssumeRole",
        "Principal": {
          "Service": "lambda.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
      }
    ]
  }
  POLICY
}

In aws_lambda_function, the s3_bucket should be just bucket name, not its arn:

resource "aws_lambda_function" "lambda_tf" {
  function_name     = "LambdaTFTest"
  role              = aws_iam_role.role_lambda.arn
  handler           = "Lambda::Lambda.Function::FunctionHandler"
  runtime           = "dotnetcore3.1"
  s3_bucket         = "xxxx-xxxxxx" 
  s3_key            = "Lambda.zip"
  s3_object_version = "XxXxXxXxXxXxXxXxXxXxXxXxXxXx"
}
Improve this answer

Comments

2

This comes down to one of the parameters being passed in being invalid.

Ensure that the Lambda name is unique, the S3 bucket and key exist and that the IAM role has the assume role policy when it’s attached.

The runtime is correct, everything else is user defined so would need you to validate.

Try using filename property instead of S3 (this will use local disk instead of S3). Does that work? If so it might be S3 permissions.

If you verify everything and it’s still not working the best suggestion would be to raise with AWS support providing the request ID.

Improve this answer

Comments

1

It could really be any of the parameters you pass to lambda resource. In my case I said the timeout was "900000" instead of 900. I assumed it to be in ms for some reason.

Improve this answer

1 Comment

Badly formatted subnets in my case.
1

In my case it was the name of lambda function. I was using spacing and its not allowed.

Improve this answer

1 Comment

Ah! This was it, Lambda naming conventions. In my case using dots in the version (v0.1). Removed, sorted. Good spot!
1

The s3_bucket should only include the name, like xxxx-xxxxxx

The following formats are wrong:

arn:aws:s3:::xxxx-xxxxxx or s3://xxxx-xxxxxx

Improve this answer

1 Comment

i had this exact problem. I was using "arn:aws:s3:::xxxxxxxxxxxx" but changed to just "xxxxxxxxxxxxx and i was able to deploy my lambda func
0

I actually got the same error when using a docker image. The fix here is to set the package_type = "Image"

Improve this answer

Comments

0

For me it was the lambda description being too long.

Improve this answer

Comments

0

There is a bug with allocating memory more than 4096 so if you copy the example from the terraform docs it will fail. This does not happen on all AWS account but on some

Improve this answer

Comments

0

As this is the top hit on Google for "Terraform Lambda ValidationException", I'll just drop here that I had a list of subnets that was too long. For what it's worth, perhaps it will help someone!

Improve this answer

Comments

-1

For those who might have run into the same issue, it might help to try formatting your main.tf file by converting all spaces to tabs.

If you're using vscode, there is a tab below to convert this, depends if spaces or tabs

Below:

enter image description here

Convert Indentation to Tabs: enter image description here

This fixed the issue for me.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.