Error create lambda function : 400 Validation Exception

tammyllf · September 13, 2021, 2:22pm

Hi team,

I’m new to terraform, and about to build aws_lambda function using terraform.
The role/policy/layer within my .tf file work as expected.
However, when I try to create the lambda function, it’s return 400 error.

Terraform version: 0.12.21

Been block by this error for quite some times, and unable to solve it.
Could someone please help on this?

My lambda resource code:

resource "aws_lambda_function" "securitygroup_lambda" {
  filename         = "lambda_function.zip"
  function_name    = "EC2_securitygroup_audit"
  role             = aws_iam_role.security-group-audit-role.id
  memory_size      = 512
  handler          = "lambda_function.lambda_handler"
  source_code_hash = filebase64sha256("lambda_function.zip")
  runtime          = "python3.8"
  timeout          = 15
  layers           = [aws_lambda_layer_version.security-group-audit-layer.arn]

  environment {
    variables = {
      s3_bucket = "abc"
    }
  }
}

Terraform Plan output

Terraform will perform the following actions:

  # aws_lambda_function.securitygroup_lambda will be created
  + resource "aws_lambda_function" "securitygroup_lambda" {
      + arn                            = (known after apply)
0800 [DEBUG] plugin: plugin process exited: path="/Users/xxxxxx/Documents/Work/ Security Group - Lambda/Lambda - Terraform (Master)/.terraform/plugins/darwin_amd64/terraform-provider-aws_v3.37.0_x5" pid=2218
2021-09-13T08:30:20.400+0800 [DEBUG] plugin: plugin exited
2021/09/13 08:30:20 [TRACE] [walkPlan] Exiting eval tree: provider.aws (close)
2021/09/13 08:30:20 [TRACE] vertex "provider.aws (close)": visit complete
2021/09/13 08:30:20 [TRACE] dag/walk: visiting "root"
2021/09/13 08:30:20 [TRACE] vertex "root": starting visit (terraform.graphNodeRoot)
2021/09/13 08:30:20 [TRACE] vertex "root": visit complete
2021/09/13 08:30:20 [DEBUG] command: asking for input: "Do you want to perform these actions?"
      + filename                       = "lambda_function.zip"
      + function_name                  = "EC2_securitygroup_audit"
      + handler                        = "lambda_function.lambda_handler"
      + id                             = (known after apply)
      + invoke_arn                     = (known after apply)
      + last_modified                  = (known after apply)
      + layers                         = [
          + "arn:aws:lambda:us-west-2:70xxxxxxxxxx:layer:security-group-audit:2",
        ]
      + memory_size                    = 512
      + package_type                   = "Zip"
      + publish                        = false
      + qualified_arn                  = (known after apply)
      + reserved_concurrent_executions = -1
      + role                           = "lambda-security-group-audit-role"
      + runtime                        = "python3.8"
      + signing_job_arn                = (known after apply)
      + signing_profile_version_arn    = (known after apply)
      + source_code_hash               = "wKTCfxxxxxzq3fe+ONLinmpBqxxxxxxxxdOStQvfk="
      + source_code_size               = (known after apply)
      + timeout                        = 15
      + version                        = (known after apply)

      + environment {
          + variables = {
              + "s3_bucket" = "<bucket_name>"
            }
        }

      + tracing_config {
          + mode = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

Terraform apply error message:

2021/09/13 08:30:28 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
Error: error creating Lambda Function (1): ValidationException: 
        status code: 400, request id: cxxxxx7-1xxxb-4-8xxdb-aadxxxx

  on securitygroup.tf line 75, in resource "aws_lambda_function" "securitygroup_lambda":
  75: resource "aws_lambda_function" "securitygroup_lambda" {
2021/09/13 08:30:28 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock

My “export TF_LOG=TRACE” log

-----------------------------------------------------: timestamp=2021-09-13T08:30:28.329+0800
2021-09-13T08:30:28.329+0800 [INFO]  plugin.terraform-provider-aws_v3.37.0_x5: 2021/09/13 08:30:28 [DEBUG] [aws-sdk-go]: timestamp=2021-09-13T08:30:28.329+0800
2021-09-13T08:30:28.329+0800 [INFO]  plugin.terraform-provider-aws_v3.37.0_x5: 2021/09/13 08:30:28 [DEBUG] [aws-sdk-go] DEBUG: Validate Response lambda/CreateFunction failed, attempt 0/25, error ValidationException: 
        status code: 400, request id: cxxxxx7-1xxxb-4-8xxdb-aadxxxx: timestamp=2021-09-13T08:30:28.329+0800
2021-09-13T08:30:28.329+0800 [INFO]  plugin.terraform-provider-aws_v3.37.0_x5: 2021/09/13 08:30:28 [DEBUG] Unlocking "aws_lambda_function": timestamp=2021-09-13T08:30:28.329+0800
2021-09-13T08:30:28.329+0800 [INFO]  plugin.terraform-provider-aws_v3.37.0_x5: 2021/09/13 08:30:28 [DEBUG] Unlocked "aws_lambda_function": timestamp=2021-09-13T08:30:28.329+0800
2021/09/13 08:30:28 [DEBUG] aws_lambda_function.securitygroup_lambda: apply errored, but we're indicating that via the Error pointer rather than returning it: error creating Lambda Function (1): ValidationException: 
        status code: 400, request id: cxxxxx7-1xxxb-4-8xxdb-aadxxxx
2021/09/13 08:30:28 [TRACE] <root>: eval: *terraform.EvalMaybeTainted
2021/09/13 08:30:28 [TRACE] EvalMaybeTainted: aws_lambda_function.securitygroup_lambda encountered an error during creation, so it is now marked as tainted
2021/09/13 08:30:28 [TRACE] <root>: eval: *terraform.EvalWriteState
2021/09/13 08:30:28 [TRACE] EvalWriteState: removing state object for aws_lambda_function.securitygroup_lambda
2021/09/13 08:30:28 [TRACE] <root>: eval: *terraform.EvalApplyProvisioners
2021/09/13 08:30:28 [TRACE] EvalApplyProvisioners: aws_lambda_function.securitygroup_lambda has no state, so skipping provisioners
2021/09/13 08:30:28 [TRACE] <root>: eval: *terraform.EvalMaybeTainted
2021/09/13 08:30:28 [TRACE] EvalMaybeTainted: aws_lambda_function.securitygroup_lambda encountered an error during creation, so it is now marked as tainted
2021/09/13 08:30:28 [TRACE] <root>: eval: *terraform.EvalWriteState
2021/09/13 08:30:28 [TRACE] EvalWriteState: removing state object for aws_lambda_function.securitygroup_lambda
2021/09/13 08:30:28 [TRACE] <root>: eval: *terraform.EvalIf
2021/09/13 08:30:28 [TRACE] <root>: eval: *terraform.EvalIf
2021/09/13 08:30:28 [TRACE] <root>: eval: *terraform.EvalWriteDiff
2021/09/13 08:30:28 [TRACE] <root>: eval: *terraform.EvalApplyPost
2021/09/13 08:30:28 [ERROR] <root>: eval: *terraform.EvalApplyPost, err: error creating Lambda Function (1): ValidationException: 
        status code: 400, request id: cxxxxx7-1xxxb-4-8xxdb-aadxxxx
2021/09/13 08:30:28 [ERROR] <root>: eval: *terraform.EvalSequence, err: error creating Lambda Function (1): ValidationException: 
        status code: 400, request id: cxxxxx7-1xxxb-4-8xxdb-aadxxxx
2021/09/13 08:30:28 [TRACE] [walkApply] Exiting eval tree: aws_lambda_function.securitygroup_lambda
2021/09/13 08:30:28 [TRACE] vertex "aws_lambda_function.securitygroup_lambda": visit complete
2021/09/13 08:30:28 [TRACE] dag/walk: upstream of "provider.aws (close)" errored, so skipping
2021/09/13 08:30:28 [TRACE] dag/walk: upstream of "meta.count-boundary (EachMode fixup)" errored, so skipping
2021/09/13 08:30:28 [TRACE] dag/walk: upstream of "root" errored, so skipping
2021/09/13 08:30:28 [TRACE] statemgr.Filesystem: not making a backup, because the new snapshot is identical to the old
2021/09/13 08:30:28 [TRACE] statemgr.Filesystem: no state changes since last snapshot
2021/09/13 08:30:28 [TRACE] statemgr.Filesystem: writing snapshot at terraform.tfstate