terraform-provider-aws: Better Lambda error

When creating a Lambda function, I get

Error: Error creating Lambda function: ValidationException: 
	status code: 400, request id: 2db74e8f-49b6-4fe7-a005-55ac6afa6d23

I had used role name instead of role ARN. Does the API provide any further detail than status code 400 about the problem? If so, we should display that.

See also https://discuss.hashicorp.com/t/error-creating-lambda-function-validationexception/8192/3

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 60
  • Comments: 23 (3 by maintainers)

Most upvoted comments

TL;DR I think we have some compatibility problem between AWS SDK/API and the underlying AWS service for Lambda.

Faced with an obvious discrepancy in error reporting by AWS CLI and Terraform, I decided to dig a bit deeper.

Here’s the API response, taken from the Terraform debug log:

2022-02-01T20:12:59.603Z [INFO]  provider.terraform-provider-aws_v3.74.0_x5: 2022/02/01 20:12:59 [DEBUG] [aws-sdk-go] DEBUG: Response lambda/CreateFunction Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 400 Bad Request
Content-Length: 147
Content-Type: application/json
Date: Tue, 01 Feb 2022 20:12:59 GMT
X-Amzn-Errortype: ValidationException
X-Amzn-Requestid: bdd1fc86-1e92-430f-b386-43b458f6c603


-----------------------------------------------------: timestamp=2022-02-01T20:12:59.603Z

Apparently there’s 147 bytes of JSON content, which must be an encoded error message, which the provider needs to extract and return to Terraform. But the provider seems to throw away the error message and then we simply get a “computer says no” in the console:

│ Error: error creating Lambda Function (1): ValidationException: 
│ 	status code: 400, request id: bdd1fc86-1e92-430f-b386-43b458f6c603

So I tried to obtain the content of that error message. Running my AWS CLI command with --debug I got:

2022-02-02 00:42:23,232 - MainThread - urllib3.connectionpool - DEBUG - https://lambda.eu-west-2.amazonaws.com:443 "POST /2015-03-31/functions HTTP/1.1" 400 147
2022-02-02 00:42:23,233 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Wed, 02 Feb 2022 00:42:23 GMT', 'Content-Type': 'application/json', 'Content-Length': '147', 'Connection': 'keep-alive', 'x-amzn-RequestId': '78eca618-d5bb-41ab-8647-9d152a7fa349', 'x-amzn-ErrorType': 'ValidationException'}
2022-02-02 00:42:23,233 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"message":"1 validation error detected: Value \'1800\' at \'timeout\' failed to satisfy constraint: Member must have value less than or equal to 900"}'

And if I copy the request parameters from Terraform debug log and stick them into an HTTP client, I get a similar response:

HTTP/1.1 400 
Date: Wed, 02 Feb 2022 00:52:26 GMT
Content-Type: application/json
Content-Length: 147
Connection: keep-alive
x-amzn-RequestId: 5933fbf3-bde1-46ef-bc09-d6b8e2014803
x-amzn-ErrorType: ValidationException

{
  "message": "1 validation error detected: Value '1800' at 'timeout' failed to satisfy constraint: Member must have value less than or equal to 900"
}

But AWS API for CreateFunction does not list ValidationException among possible error types. The closest it gets to it is InvalidParameterValueException.

Likewise, aws-sdk-go does not have ValidationException in the list of generated exception classes for Lambda API, most likely because it is absent from the API schema. An example of API that does support ValidationException and has it in the generated API/SDK is ACM.

So I suspect that somehow Lambda service sends back an error type that is not part of the schema for Lambda API, and hence it is not recognised by aws-sdk-go, which makes it fall back to the default implementation, which does not know how to format the message.

+12
sergei-ivanov on Feb 2, 2022

Any updates on this. We are facing the same issue, and have no idea why. works in cli, so we need the real error message from terraform.

+10
mac-transamerica on Aug 26, 2021

This may be an upstream issue in the aws-go-sdk V1 library (see https://github.com/aws/aws-sdk-go/issues/4733 for a complete writeup). In this case, the provider itself is not filtering any messaging returned from the CreateFunction call, the additional information just isn’t there.

While we await a response on the bug report, we’ll also investigate updating to V2 of the AWS Go SDK for the Lambda function resource.

+3
jar-b on Feb 20, 2023

I’ve had this error for many reasons, and have spent countless hours trying to figure it out each time. Please fix this hashicorp, as lambdas are becoming critical infrastructure, and we need actual error to be able to resolve.

+2
maryfromcolorado on Jan 4, 2022

This happens when invoking a lambda from within another lambda

+2
cosbor11 on Dec 14, 2021

This functionality has been released in v4.56.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

+1
github-actions[bot] on Feb 24, 2023
Read more comments on GitHub
← terraform-provider-aws: aws_wafv2_web_acl resource dependency wrong way around
terraform-provider-aws: Breaking change for several resources from 2.51.0 → 2.52.0 →