terraform-provider-aws: Lambda Provisioned Concurrency bug and caveat

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.16

Affected Resource(s)

aws_lambda_provisioned_concurrency_config

Terraform Configuration Files

resource "aws_lambda_provisioned_concurrency_config" "keep-lambda-warm" {
  count                             = var.CAN_CALL_FROM_API_GATEWAY ? 1: 0
  function_name                     = aws_lambda_alias.lambda-alias.arn
  provisioned_concurrent_executions = 1
  qualifier                         = aws_lambda_alias.lambda-alias.name
}

Actual Behavior

I have found two problems with aws_lambda_provisioned_concurrency_config.

Problem 1

When using a lambda arn for the function_name property (it is documented as possible) terraform will fail with this error

Error: error getting Lambda Provisioned Concurrency Config (arn:aws:lambda:eu-west-1:787685363335:function:thom-test:latest:latest): ValidationException: 1 validation error detected: Value 'aws:lambda:eu-west-1:<account-id>:function:thom-test:latest:latest' at 'qualifier' failed to satisfy constraint: Member must satisfy regular expression pattern: (|[a-zA-Z0-9$_-]+)
        status code: 400, request id: c6bb9980-4fb6-494e-8387-3df5f995b001

  on ../lambda/warm.tf line 1, in resource "aws_lambda_provisioned_concurrency_config" "keep-lambda-warm":
   1: resource "aws_lambda_provisioned_concurrency_config" "keep-lambda-warm" {

If you use lambda function_name it works as expected.

Problem 2

Provisioning provisioned_concurrent_executions takes a very very long time (more than 3 minutes) to deploy because I think Terraform is waiting for all provisioned concurrency checks to be ok. I think the problem gets worse the more you add provisioned_concurrent_executions.

Expected Behavior

Problem 1

Should be possible to use arn for function_name property as documented.

Problem 2

Should add a flag to skip waiting for all provisioned_concurrent_executions.

Steps to Reproduce

terraform apply

About this issue

Original URL
State: closed
Created 5 years ago
Reactions: 65
Comments: 20 (6 by maintainers)

Most upvoted comments

What can be done to get some movement on this issue? It’s been open for over a year, has a PR (with tests) against it that hasn’t been merged.

In the mean time this is the workaround we’ve used to avoid this:

resource "aws_lambda_provisioned_concurrency_config" "lambda_concurrency" {
  function_name                     = aws_lambda_function.lambda.function_name # this is the important bit, use the lambda name instead of the alias
  provisioned_concurrent_executions = var.provisioned_concurrency
  qualifier                         = aws_lambda_alias.lambda_alias.name
}

edeesis on Apr 8, 2021

The function_name in the alias definition should be the lambda function name and not the arn. Give it a try

function_name = aws_lambda_function.lambda.arn ==> function_name = aws_lambda_function.lambda.function_name

Yeah, that’s exactly what I suggested in this comment: https://github.com/hashicorp/terraform-provider-aws/issues/11152#issuecomment-816152381

But the fact of the matter is both the AWS docs here: https://docs.aws.amazon.com/lambda/latest/dg/API_PutProvisionedConcurrencyConfig.html

And the terraform docs here: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_provisioned_concurrency_config

Both permit using an arn, so like angelarosario suggested, the docs should be updated or this PR merged.

edeesis on Apr 9, 2021

Should we at least update the Example usage in the documentation in the mean time so that others won’t get this error?

angelarosario on Nov 16, 2020

I have some ideas about how I might go about fixing the first problem. I’ll see if I can submit a PR in the next few days. To add some additional flavor to the original bug report, the lambda put-provisioned-concurrency docs support the following values for the function name parameter:

Function name, e.g., my-function
Function ARN, e.g., arn:aws:lambda:us-west-2:123456789012:function:my-function
Partial ARN, e.g., 123456789012:function:my-function

The resource is persisted into state via the following invocation:

d.SetId(fmt.Sprintf("%s:%s", functionName, qualifier))

The func that parses the id from the state file uses the following code:

func resourceAwsLambdaProvisionedConcurrencyConfigParseId(id string) (string, string, error) {
	parts := strings.SplitN(id, ":", 2)

	if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
		return "", "", fmt.Errorf("unexpected format of ID (%s), expected FUNCTION_NAME:QUALIFIER", id)
	}

	return parts[0], parts[1], nil
}

For each of the valid function name values noted in the API documentation, the function name, qualifier arn that this method returns are as follows:

Input Function Name	Input Qualifier	Output Function Name	Output Qualifier
my-function	test	my-function	test
arn:aws:lambda:us-west-2:123456789012:function:my-function	test	arn	aws:lambda:us-west-2:123456789012:function:my-function:test
123456789012:function:my-function	test	123456789012	function:my-function:test

In the case of the two latter items in the table, the qualifier must match the pattern “(|[a-zA-Z0-9$_-]+)”, which the presence of the “:” character does not satisfy.

ericksoen on Jan 17, 2020