通过terraform部署AWS API Gateway和Lambda函数-由于配置错误，执行失败:Lambda函数的权限无效 [英] AWS API Gateway and Lambda function deployed through terraform -- Execution failed due to configuration error: Invalid permissions on Lambda function

问题描述

我正在通过Terraform一起部署API网关和Lambda函数，而Lambda函数是由API网关触发的.成功部署资源后，我测试API网关并得到响应:

I'm deploying an API gateway and a Lambda function together through Terraform, and the Lambda function is meant to be triggered by the API Gateway. After the resources successfully deploy, I test the API Gateway and I get response:

{ "message":内部服务器错误" }

{ "message": "Internal server error" } .

API网关的实际日志说:

The actual logs of the API gateway say:

由于配置错误，执行失败:Lambda函数的权限无效

Execution failed due to configuration error: Invalid permissions on Lambda function

我可以通过转到API网关的集成请求部分，重新​​选择我现有的功能，然后用小勾号再次保存"，来使api-lambda实际功能正常工作，但这会破坏自动化，我想要这个无需每次都执行手动步骤即可工作.不知道这是Terraform/AWS中的错误还是我做错了什么. (发现有人问同样的问题，但使用SAM，但没有响应:

I can get the actual api-lambda functionality to work by going to the integration request section of the API gateway, reselecting my existing function, and "saving" it again with the little checkmark, but this breaks automation and I want this to work without having to do that manual step every time. Not sure if this is a bug in Terraform/AWS or if I'm doing something wrong. (Found someone asking the same question but using SAM but no responses: Execution failed due to configuration error: Invalid permissions on Lambda function)

我当前的设置是通过一个庞大的json文件部署API，并且Lambda Invoke ARN用作此文件集成部分中的URI.我试过在硬编码的ARN和变量之间切换，但无济于事.我也尝试过包含aws_api_gateway_deployment和aws_api_gateway_integration资源，但我发现如果我已经使用了swagger文件，则使用这些文件将与swagger文件已经构建的文件冲突.

My current setup is deploying the API via a swagger json file, and the Lambda Invoke ARN is used as the URI in the integration section of this file. I have tried switching this between a hard coded ARN and a variable to no avail. I also tried including an aws_api_gateway_deployment and aws_api_gateway_integration resource but I figured that if I'm already using a swagger file, using those would conflict with what the swagger file is already building.

我的api_gateway模块的main.tf看起来像这样:

My main.tf for my api_gateway module looks like this:

resource "aws_api_gateway_rest_api" "post_session" {
    name = "${var.api_gateway_name}"
    body = "${data.template_file.post-session.rendered}"

    endpoint_configuration {
        types = ["PRIVATE"]
    }
}

data "template_file" "post-session" {
    template = "${file("../source/aapt-ual-post-session-v1-swagger-apigateway.json")}"

    vars {
        session_init_arn = "${var.session_init_function_arn}"
    }
}

我摇摇欲坠的文件的相关部分看起来像这样:

My relevant section of the swagger file looks like this:

"x-amazon-apigateway-integration": {
      "uri": "${session_init_arn}",
      "responses": {
        "default": {
          "statusCode": "200"
        }
      },
      "requestTemplates": {
        "application/json":  ....

我的Lambda模块的lambda_permission/api_gateway触发器部分如下所示:

And my lambda_permission/api_gateway trigger section of my Lambda module looks like this:

resource "aws_lambda_permission" "post_session_trigger" {
     statement_id  = "Allow_My_Post_Session_Invoke"
     action        = "lambda:InvokeFunction"
     function_name = "${aws_lambda_function.init_function.function_name}"
     principal     = "apigateway.amazonaws.com"
     source_arn = "arn:aws:execute-api:us-east-1:${var.account_id}:${var.post_session_id}/v1/POST/aa/ual/session"

}

如果您有任何建议，请告诉我，谢谢！

Let me know if you have any suggestions, thanks!

推荐答案

根据 Denis Weerasiri的建议 ，在API网关的集成"部分中重新选择Lambda函数名称后，我检查了Lambda权限，并添加了另一个策略.我需要进行的更改是将Lambda函数资源中的source_arn中的v1更改为*.因此，我的Lambda模块中的新API网关触发器如下所示:

As per the suggestion from Denis Weerasiri, I checked the Lambda permissions after reselecting the Lambda function name in the Integration section of the API Gateway, and it had added another policy. The change that I needed to make was changing the v1 to a * in the source_arn in the Lambda function resource. So the new API Gateway trigger in my Lambda module looks like this:

resource "aws_lambda_permission" "post_session_trigger" {
     statement_id  = "Allow_My_Post_Session_Invoke"
     action        = "lambda:InvokeFunction"
     function_name = "${aws_lambda_function.init_function.function_name}"
     principal     = "apigateway.amazonaws.com"
     source_arn = "arn:aws:execute-api:us-east-1:${var.account_id}:${var.post_session_id}/*/POST/aa/ual/session"}

这篇关于通过terraform部署AWS API Gateway和Lambda函数-由于配置错误，执行失败:Lambda函数的权限无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！