terraform-provider-aws: resource/aws_lambda_function - possible regression w/3.17.0 on us-east-2

Community Note

  • Please vote on this issue by adding a šŸ‘ reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave ā€œ+1ā€ or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform 0.12.25, 0.13.5 AWS Provider 3.17.0 and beyond (tested on 3.21.0 and the issue is still there)

Affected Resource(s)

  • aws_lambda_function

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Any aws_lamdba_function blocks, an example can be seen here: https://github.com/hashicorp/terraform-provider-aws/issues/16398

Debug Output

Panic Output

Expected Behavior

Terraform apply is successful

Actual Behavior

Error: error getting Lambda Function Code Signing Config: AccessDeniedException: 11:31:34 status code: 403, request id: e5539b23-7f69-478d-ae36-67bc55c8e50c

Steps to Reproduce

  1. terraform apply on us-east-2

Important Factoids

This issue is very similar to https://github.com/hashicorp/terraform-provider-aws/issues/16398. People have commented that it does not work for us-east-1 also.

References

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 11
  • Comments: 16 (5 by maintainers)

Commits related to this issue

Most upvoted comments

I found this while debugging an issue and found that I also needed to grant lambda:GetFunctionCodeSigningConfig

+5
bcsgh on Dec 15, 2020

Iā€™m getting the same error in ap-northeast-3 and we are not trying to enable code signing at all. This code used to work fine, so something about introducing Lambda code signing into the AWS Provider has broken Lambda functions in general in ap-northeast-3, whether or not you are trying to use the code signing functionality.

+4
brikis98 on Apr 15, 2021

This is a problem preventing the deployment of lambdas to ap-northeast-3 entirely. The most trivial example fails with the issue described, even will full admin permissions because the code signing service (AWS Signer) does not exist in ap-northeast-3. It is not a matter of permissions it is a matter of the service not existing in this region.

Try the following with the latest aws provider:

resource "aws_iam_role" "iam_for_lambda" {
  name = "role-for-ap-northeast-3"
  assume_role_policy = ""
}

resource "aws_lambda_function" "test_lambda" {
  filename      = "lambda_function_payload.zip"
  function_name = "test_function"
  role          = aws_iam_role.iam_for_lambda.arn
  handler       = "handler.lambda_handler"

  runtime = "python3.8"
}

provider "aws" {
  region ="ap-northeast-3"
}

results in:

$ terraform apply
aws_lambda_function.test_lambda: Refreshing state... [id=lambda_function_name]
ā•·
ā”‚ Error: error getting Lambda Function (lambda_function_name) code signing config AccessDeniedException: 
ā”‚       status code: 403, request id: 9c6cf779-8ce2-49bd-8ab3-e97e8fa5dd0f
ā”‚ 
ā”‚   with aws_lambda_function.test_lambda,
ā”‚   on main.tf line 6, in resource "aws_lambda_function" "test_lambda":
ā”‚    6: resource "aws_lambda_function" "test_lambda" {
ā”‚

This is not a small unusual region either anymore as Osaka ap-northeast-3 went GA on 2021-03-1 https://aws.amazon.com/blogs/aws/aws-asia-pacific-osaka-region-now-open-to-all-with-three-azs-more-services/

+3
Sam-Martin on Jul 13, 2021

@kyleckf Yes, lambda:GetCodeSigningConfig is a required permission. If I attach an IAM policy like

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "lambda:GetCodeSigningConfig",
            "Resource": "*"
        }
    ]
}

to my test account then I get

$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSLambdaFunction_codeSigningConfig'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSLambdaFunction_codeSigningConfig -timeout 120m
=== RUN   TestAccAWSLambdaFunction_codeSigningConfig
=== PAUSE TestAccAWSLambdaFunction_codeSigningConfig
=== CONT  TestAccAWSLambdaFunction_codeSigningConfig
    resource_aws_lambda_function_test.go:194: Step 1/5 error: Error running apply: 2020/12/15 11:58:49 [DEBUG] Using modified User-Agent: Terraform/0.12.26 HashiCorp-terraform-exec/0.10.0
        
        Error: error reading Lambda code signing config (arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-0db84535440db24e0): AccessDeniedException: 
        	status code: 403, request id: 19c55ac6-51b3-43a0-bc84-b291c9595eec
        
        
        
        Error: error reading Lambda code signing config (arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-00bf60596266984f7): AccessDeniedException: 
        	status code: 403, request id: d731cb3d-8fc8-4996-8892-8cb69d264a78
        
        
--- FAIL: TestAccAWSLambdaFunction_codeSigningConfig (9.72s)
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	9.790s
FAIL
GNUmakefile:27: recipe for target 'testacc' failed
make: *** [testacc] Error 1

See the Roadmap for a research task on how we can better describe required IAM permissions.

+1
ewbankkit on Dec 15, 2020
Read more comments on GitHub
← terraform-provider-aws: Resource 'aws_api_gateway_deployment' in 2.3.0 does not have (optional) attribute 'stage_name'
terraform-provider-aws: resource/aws_route: route is not saved in the state when it fails to be available (in 2m) on creation →