使用 terraform 创建秘密轮换函数时出现 lambda 错误
lambda error when creating function for secrets rotation using terraform
请你帮我找到解决问题的办法
我尝试了很多 google 搜索思路,比如用下划线替换连字符。
我还设置了 vpc_config 以使用 public 子网,它以前使用的是私有的。
我已将超时从 30 增加到 120,以查看那里是否存在问题。
这是我的 Gitlab Pipeline 的错误。
aws_lambda_function.rotate:正在创建...
错误:创建 Lambda 函数时出错 (1):ValidationException:
状态码:400,请求id:375b2989-c466-4f54-b951-31546121edda
aws_lambda_function.rotate,
关于 lambda-rotater.tf 第 10 行,在资源“aws_lambda_function”“旋转”中:
10:资源“aws_lambda_function”“旋转”{
这是 lambda terraform 代码。
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
data "aws_vpc" "main_vpc" {}
data "aws_subnet_ids" "public" {
vpc_id = data.aws_vpc.main_vpc.id
tags = {
Name = "*public*"
}
}
data "aws_subnet" "public_ingress_cidr" {
for_each = data.aws_subnet_ids.public.ids
id = each.value
}
data "archive_file" "lambda_archive" {
type = "zip"
source_file = "lambda/lambda_function.py"
output_path = "lambda/lambda_function.zip"
}
resource "aws_lambda_function" "rotate" {
filename = data.archive_file.lambda_archive.output_path
function_name = "test"
role = aws_iam_role.iam_for_lambda.arn
handler = "lambda_function.lambda_handler"
source_code_hash = data.archive_file.lambda_archive.output_base64sha256
runtime = "python3.8"
vpc_config {
subnet_ids = data.aws_subnet_ids.public.*.id
security_group_ids = [aws_security_group.rotation_lambda_sg.id]
}
timeout = 120
description = "Conducts an AWS SecretsManager secret rotation for RDS using single user rotation scheme"
environment {
variables = {
SECRETS_MANAGER_ENDPOINT = "s.${data.aws_region.current.name}.amazonaws.com"
}
}
}
resource "aws_lambda_permission" "allow_secret_manager_call_lambda" {
function_name = aws_lambda_function.rotate.function_name
statement_id = "AllowExecutionSecretManager"
action = "lambda:InvokeFunction"
principal = "secretsmanager.amazonaws.com"
}
我添加了 IAM 的 terraform 代码以防出现问题。
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "lambda-secrets" {
role = aws_iam_role.iam_for_lambda.name
policy_arn = "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
}
resource "aws_iam_role_policy_attachment" "lambda" {
role = aws_iam_role.iam_for_lambda.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
resource "aws_iam_role_policy_attachment" "lambda-vpc" {
role = aws_iam_role.iam_for_lambda.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
使用您提供的 terraform 代码,我能够重现该问题。我通过执行以下操作解决了这个问题:
更改subnet_ids配置:
vpc_config {
subnet_ids = data.aws_subnet_ids.public.*.id
security_group_ids = [aws_security_group.rotation_lambda_sg.id]
}
至
vpc_config {
subnet_ids = data.aws_subnet_ids.public.ids
security_group_ids = [aws_security_group.rotation_lambda_sg.id]
}
错误的版本似乎提供了 VPC ID 而不是子网 ID 列表。由于参数值不正确,AWS 给出了验证错误。
请你帮我找到解决问题的办法 我尝试了很多 google 搜索思路,比如用下划线替换连字符。 我还设置了 vpc_config 以使用 public 子网,它以前使用的是私有的。 我已将超时从 30 增加到 120,以查看那里是否存在问题。
这是我的 Gitlab Pipeline 的错误。
aws_lambda_function.rotate:正在创建...
错误:创建 Lambda 函数时出错 (1):ValidationException:
状态码:400,请求id:375b2989-c466-4f54-b951-31546121edda aws_lambda_function.rotate,
关于 lambda-rotater.tf 第 10 行,在资源“aws_lambda_function”“旋转”中:
10:资源“aws_lambda_function”“旋转”{
这是 lambda terraform 代码。
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
data "aws_vpc" "main_vpc" {}
data "aws_subnet_ids" "public" {
vpc_id = data.aws_vpc.main_vpc.id
tags = {
Name = "*public*"
}
}
data "aws_subnet" "public_ingress_cidr" {
for_each = data.aws_subnet_ids.public.ids
id = each.value
}
data "archive_file" "lambda_archive" {
type = "zip"
source_file = "lambda/lambda_function.py"
output_path = "lambda/lambda_function.zip"
}
resource "aws_lambda_function" "rotate" {
filename = data.archive_file.lambda_archive.output_path
function_name = "test"
role = aws_iam_role.iam_for_lambda.arn
handler = "lambda_function.lambda_handler"
source_code_hash = data.archive_file.lambda_archive.output_base64sha256
runtime = "python3.8"
vpc_config {
subnet_ids = data.aws_subnet_ids.public.*.id
security_group_ids = [aws_security_group.rotation_lambda_sg.id]
}
timeout = 120
description = "Conducts an AWS SecretsManager secret rotation for RDS using single user rotation scheme"
environment {
variables = {
SECRETS_MANAGER_ENDPOINT = "s.${data.aws_region.current.name}.amazonaws.com"
}
}
}
resource "aws_lambda_permission" "allow_secret_manager_call_lambda" {
function_name = aws_lambda_function.rotate.function_name
statement_id = "AllowExecutionSecretManager"
action = "lambda:InvokeFunction"
principal = "secretsmanager.amazonaws.com"
}
我添加了 IAM 的 terraform 代码以防出现问题。
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "lambda-secrets" {
role = aws_iam_role.iam_for_lambda.name
policy_arn = "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
}
resource "aws_iam_role_policy_attachment" "lambda" {
role = aws_iam_role.iam_for_lambda.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
resource "aws_iam_role_policy_attachment" "lambda-vpc" {
role = aws_iam_role.iam_for_lambda.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
使用您提供的 terraform 代码,我能够重现该问题。我通过执行以下操作解决了这个问题:
更改subnet_ids配置:
vpc_config {
subnet_ids = data.aws_subnet_ids.public.*.id
security_group_ids = [aws_security_group.rotation_lambda_sg.id]
}
至
vpc_config {
subnet_ids = data.aws_subnet_ids.public.ids
security_group_ids = [aws_security_group.rotation_lambda_sg.id]
}
错误的版本似乎提供了 VPC ID 而不是子网 ID 列表。由于参数值不正确,AWS 给出了验证错误。