-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function ARN must reference a specific function version. (The ARN must end with the version number.) ARN: arn:aws:lambda:eu-west-1:128523434494:function:security-headers-terraform-new:$LATEST #21238
Comments
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "3.61.0"
}
}
}
provider "aws"{
region ="eu-west-1"
}
resource "aws_s3_bucket" "creattestbucketshreyaaftp"{
bucket="rtedd"
acl="private"
force_destroy = true
}
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_lambda_function" "testlambda56rty"{
function_name = "security-headers-terraform-new"
filename="aftp-qa-cloudfront-security-headers.zip"
role= aws_iam_role.iam_for_lambda.arn
runtime = "nodejs12.x"
handler = "index.js"
}
resource "aws_cloudfront_origin_access_identity" "newOAI" {
comment = "OAI User"
}
locals {
s3_origin_id = "S3AFTPOrigin"
}
resource "aws_cloudfront_distribution" "s3-distribution"{
origin{
domain_name=aws_s3_bucket.creattestbucketshreyaaftp.bucket_regional_domain_name
origin_id=local.s3_origin_id
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.newOAI.cloudfront_access_identity_path
}
}
enabled = true
is_ipv6_enabled = true
default_root_object = "index.html"
aliases=["examplerrr.futuretalentplatform.com"]
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = local.s3_origin_id
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
lambda_function_association {
event_type = "viewer-request"
lambda_arn = aws_lambda_function.testlambda56rty.qualified_arn
include_body = false
}
viewer_protocol_policy = "allow-all"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
viewer_certificate {
acm_certificate_arn = "arn:aws:acm:us-east-1:128523434494:certificate/cf938fd1-f6e5-400c-8bf7-b67cc5a2d160"
ssl_support_method = "sni-only"
}
}
data "aws_iam_policy_document" "s3_policy" {
statement {
actions = ["s3:GetObject"]
resources = ["${aws_s3_bucket.creattestbucketshreyaaftp.arn}/*"]
principals {
type = "AWS"
identifiers = [aws_cloudfront_origin_access_identity.newOAI.iam_arn]
}
}
}
resource "aws_s3_bucket_policy" "s3policyforOAI" {
bucket = aws_s3_bucket.creattestbucketshreyaaftp.id
policy = data.aws_iam_policy_document.s3_policy.json
} This is my terraform script. Can anyone please help me with the error. |
Hey @shreyashi1209 👋 Thank you for taking the time to file this issue. In looking over it, I noticed something that I think might make the difference here. Looking at the outputs for the
With that in mind, I reviewed the AWS documentation around lambda function versions, which says:
With that information, my read is that there's two possible solutions for this:
|
We are seeing the same problems. However, publish = true is already set on our lambda edge function and using .arn instead of qualified_arn results in an arn without the "$LATEST" tag at the end - however the error message remains the same. |
Hey @McTristan 👋 Thank you for confirming that. With that information in mind, I've marked this as a bug so that we can take a look into it as soon as time allows. |
I had the same problem but @justinretzolk solution worked for me my code looked like this lambda_function_association {
event_type = "viewer-request"
lambda_arn = "${aws_lambda_function.my_resource.arn}:${aws_lambda_function.my_resource.version}"
include_body = false
} I also set the |
this is a problem for me as well, but because I'm using my lambda across several cloudfront stacks, I'm unable to define the lambda with the cloudfront. I tried to define data aws_lambda_function references to the functions, but the function version shows as "$LATEST", not the actual latest version. From the source stack, I can see the actual version in the resource object. my states are all in s3 and I was able to workaround this by using "terraform_remote_state" references to all of my lambda functions I did need to define Output values for all of the data I wanted to share, but this workaround is working for me. |
Hi all 👋 Thank you all for confirming that the above information helped! With that in mind, we'll close this issue for now. If you feel we've done this in error, please do let us know, or open a new issue with additional information. |
it would be nice if this could be fixed proper so that workarounds were not necessary. I was wasting a bunch of time trying to get aws_lambda_function DATA references to work until I stumbled across the remote state option. I originally ignored that option because I didn't realize it would work with S3 storage. |
Hey @MrVJTod -- I think that's a totally valid ask, so I'll re-open the issue so that we can look into this a bit more. |
it looks like if the lambda is already published and then in another stack (where you create cloudfront) if you use
However if you create cloudfront and lambda in the same stack and then use
|
The real problem here is that lambda@edge requires us to specify the specific version that cloudfront will use, so arn like Here's what needs to be done:
This will result to an arn that looks like this |
Community Note
Terraform CLI and Terraform AWS Provider Version
Affected Resource(s)
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
Debug Output
Panic Output
Expected Behavior
Actual Behavior
Steps to Reproduce
terraform apply
Important Factoids
References
The text was updated successfully, but these errors were encountered: