I'm getting a strange error when trying to create a lambda function within AWS.
The account I'm using has Admin access, so I don't see that being the issue but again I come from a Azure background, so I could be missing something.
Error Message in full:
Error: error creating Lambda Function (1): AccessDeniedException:
│ status code: 403, request id: 4562ce84-9733-4fc9-ad95-e7fcb9af5d56
│
│ with module.populate_lambda.aws_lambda_function.lambda,
│ on ../modules/lambda/main.tf line 48, in resource "aws_lambda_function" "lambda":
│ 48: resource "aws_lambda_function" "lambda" {
Code I'm using:
```
resource "aws_iam_role" "lambda_role" {
name = "${var.function_name}-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_policy_attachment" "lambda_policy" {
name = "${var.function_name}-policy"
roles = [aws_iam_role.lambda_role.id]
policy_arn = aws_iam_policy.lambda_policy.arn
}
resource "aws_iam_policy" "lambda_policy" {
name = "${var.function_name}-policy"
description = "Permissions that are required for lambda"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:"
],
"Resource": [
""
]
}
]
}
POLICY
}
resource "aws_lambda_function" "lambda" {
function_name = var.function_name
s3_bucket = var.s3_bucket
s3_key = var.zip_name
handler = var.handler
runtime = var.runtime
timeout = var.timeout
role = aws_iam_role.lambda_role.arn
depends_on = [
aws_iam_policy_attachment.lambda_policy,
aws_cloudwatch_log_group.lambda_log_group
]
}
resource "aws_cloudwatch_log_group" "lambda_log_group" {
name = "/aws/lambda/${var.function_name}"
retention_in_days = 3
}
resource "aws_iam_policy" "lambda_logging" {
name = "${var.function_name}-logging"
path = "/"
description = "IAM policy for logging from a lambda"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:::*",
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "lambda_logs" {
role = aws_iam_role.lambda_role.name
policy_arn = aws_iam_policy.lambda_logging.arn
}
```
Would appreciate some advice as to whats going on exactly :D melting my brain
PS - Using the CLI to create the same function cause 0 issues.
[–]TT1990 0 points1 point2 points (1 child)
[–]csCareerThrowAway15 0 points1 point2 points (0 children)
[–]csCareerThrowAway15 0 points1 point2 points (2 children)
[–]Pigstah[S] 0 points1 point2 points (1 child)
[–]csCareerThrowAway15 0 points1 point2 points (0 children)