CloudFront with Lambda@Edge: 503 The request could not be satisfied

I’m getting the following error while creating cloudfront and lambda@edge. I have used nodejs in lambda function. all are done using terraform. Here is the erorr message The Lambda function associated with the CloudFront distribution is invalid or doesn't have the required permissions.

I have 2 different function.

  1. viewer request handler
    here is the iam permission
esource "aws_iam_role" "viewer_request_handler" {

  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
EOF
}

data "aws_iam_policy_document" "viewer-request-handler" {
  statement {

    sid = "1"

    actions = [
      "logs:CreateLogGroup",
      "logs:CreateLogStream",
      "logs:PutLogEvents",
    ]

    resources = [
      "*",
    ]

    effect = "Allow"
  }

  statement {

    sid = "2"

    actions = [
      "xray:PutTraceSegments",
      "xray:PutTelemetryRecords",
    ]

    resources = [
      "*",
    ]

    effect = "Allow"
  }

  statement {

    actions = [
      "secretsmanager:GetSecretValue",
    ]

    resources = [
      "${data.aws_secretsmanager_secret.by-arn.arn}",
    ]

    effect = "Allow"
  }
}
  1. viewer request listener
resource "aws_iam_role" "viewer_request_listener" {

  assume_role_policy = <<EOF
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": [
					"edgelambda.amazonaws.com",
					"lambda.amazonaws.com"
				]
			},
			"Action": "sts:AssumeRole"
		},
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "edgelambda.amazonaws.com"
			},
			"Action": "sts:AssumeRole"
		}
	]
}
EOF

}

data "aws_iam_policy_document" "viewer-request-listener" {
  statement {

    sid = "1"

    actions = [
      "logs:CreateLogGroup",
      "logs:CreateLogStream",
      "logs:PutLogEvents",
    ]

    resources = [
      "*",
    ]

    effect = "Allow"
  }

  statement {

    sid = "2"

    actions = [
      "xray:PutTraceSegments",
      "xray:PutTelemetryRecords",
    ]

    resources = ["*"]

    effect = "Allow"
  }

  statement {

    sid = "3"

    actions = [
      "lambda:InvokeFunction",
    ]

    resources = [
      "${aws_lambda_function.viewer_request_handler.arn}",
    ]

    effect = "Allow"
  }
}

The viewer request handler have access to the authentication. And the viewer request listener have access to the viewer request handler. The viewer request listener is added to the lambda_function_association of cloudfront.

lambda_function_association {
      event_type   = "viewer-request"
      lambda_arn   = aws_lambda_function.viewer_request_listener.qualified_arn
      include_body = false
    }

Is there any thing missing for the permission?