[Terraform] Configuring AWS Lambda + API Gateway

[Steven Fierro]

I think I'm having trouble with the permissions model, and I'm not sure how to fix the issue.

I've attached a Terraform setup that:

• Creates a Lambda function
• Name: "terraform_lambda_hello_world"
• Returns "Hello World"
• Creates a REST endpoint
• API name: "TestAPI"
• Resource: "/test/test/"
• HTTP method: "GET"
  
• Creates an API Gateway Integration
• Sets the REST endpoint to the Lambda function
  
• Creates Lambda Permissions
• Gives the API Gateway method permission to call the Lambda function
  
• Creates a default IAM Role
  
• Gives the role to the Lambda function
  

1. When I apply this setup, everything gets created successfully.
2. I am able to test the Lambda function successfully, but when I attempt to 'Test' the "GET /test/test" endpoint via the AWS web UI, I get an "AccessDeniedException."
3. I then, using the GUI, edit the "/test/test - GET - Integration Request" Lambda field (I don't modify it, just re-save it) and accept the "Add Permissions to Lambda Function" pop-up window.
4. If I re-test the endpoint (step 2), I no longer get an "AccessDeniedException" and the string "Hello World" is returned (although I get a error because there's no Method/Integration response, but that's not a problem).

NOTE: I have verified using the AWS CLI that the Lambda Permissions are exactly the same before and after step 3.

Did I miss something? Is there another permissions related configuration step that I'm missing (that the GUI is doing)?

If you want to run the test, you'll need to modify the *.template.tfvars to include your info. I ran the test like this:

terraform apply -var-file="credentials.tfvar" -var-file="account.tfvar"

The AWS CLI command I used to check the permissions is:

aws lambda get-policy --function-name terraform_lambda_hello_world

Any help would be appreciated.

Thanks,

Steve

[Steven Fierro]

I was unable to view/download the .zip file from my previous post, so here are all the files. You'll need to zip the hello_world.py file to hello_world.zip for the test to work.

[Steven Fierro]

Ugh... that didn't work either. I'll just in-line the files. Sorry.

>>>> account.template.tfvar

account_id = "############"

>>>> credentials.template.tfvar

access_key = "###############"
secret_key = "##########################################"

>>>> hello_world.py

def lambda_handler(event, context):
  return "Hello World"

>>>> local_variables.tf

variable "access_key" {}
variable "secret_key" {}
variable "account_id" {}
variable "region" {
    default = "us-west-2"
}

>>>> provider.tf

provider "aws" {
    access_key = "${var.access_key}"
    secret_key = "${var.secret_key}"
    region = "${var.region}"
}

>>>> test_api.tf

resource "aws_iam_role" "test_role" {
    name = "test_role"
    assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_lambda_function" "test_lambda" {
    filename = "hello_world.zip"
    function_name = "terraform_lambda_hello_world"
    role = "${aws_iam_role.test_role.arn}"
    handler = "hello_world.lambda_handler"
    runtime = "python2.7"
    timeout = "3"
}

resource "aws_lambda_permission" "allow_api_gateway" {
    function_name = "${aws_lambda_function.test_lambda.function_name}"
    statement_id = "AllowExecutionFromApiGateway"
    action = "lambda:InvokeFunction"
    principal = "apigateway.amazonaws.com"
    source_arn = "arn:aws:execute-api:${var.region}:${var.account_id}:${aws_api_gateway_rest_api.test_api.id}/*/${aws_api_gateway_integration.test_test-get-integration.integration_http_method}${aws_api_gateway_resource.test_test.path}"
}

#resource "aws_lambda_alias" "test_alias" {
#    name = "testalias"
#    description = "a sample description"
#    function_name = "${aws_lambda_function.test_lambda.arn}"
#    function_version = "$LATEST"
#}

resource "aws_api_gateway_rest_api" "test_api" {
  name = "TestAPI"
  description = "This is the Test API"
}

resource "aws_api_gateway_resource" "test" {
  rest_api_id = "${aws_api_gateway_rest_api.test_api.id}"
  parent_id = "${aws_api_gateway_rest_api.test_api.root_resource_id}"
  path_part = "test"
}

resource "aws_api_gateway_resource" "test_test" {
  rest_api_id = "${aws_api_gateway_rest_api.test_api.id}"
  parent_id = "${aws_api_gateway_resource.test.id}"
  path_part = "test"
}

resource "aws_api_gateway_method" "test_test-get" {
  rest_api_id = "${aws_api_gateway_rest_api.test_api.id}"
  resource_id = "${aws_api_gateway_resource.test_test.id}"
  http_method = "GET"
  authorization = "NONE"
}

resource "aws_api_gateway_integration" "test_test-get-integration" {
  rest_api_id = "${aws_api_gateway_rest_api.test_api.id}"
  resource_id = "${aws_api_gateway_resource.test_test.id}"
  http_method = "${aws_api_gateway_method.test_test-get.http_method}"
  type = "AWS"
  uri = "arn:aws:apigateway:${var.region}:lambda:path/2015-03-31/functions/arn:aws:lambda:${var.region}:${var.account_id}:function:${aws_lambda_function.test_lambda.function_name}/invocations"
  integration_http_method = "${aws_api_gateway_method.test_test-get.http_method}"
}

[Steven Fierro]

Ok, the issue is solved. My integration_http_method was being set to GET, rather than POST.

[Yuttana Krittasampan]

Hi Steven ,

           I downloaded your files and then set integration_http_method by hard code "POST" already. I run via terraform and there is no error. But when I go to the API Gateway console and test I still get the  "Execution failed due to configuration error: Invalid permissions on Lambda function" at first time. It is the same problem that we encounter. What is the thing I do wroong ? Could you please suggest ?

I also attach the tf file and capture image.

Thanks

Yuttana K.

เมื่อ วันพุธที่ 20 เมษายน ค.ศ. 2016 3 นาฬิกา 58 นาที 36 วินาที UTC+7, Steven Fierro เขียนว่า:

[Estelle Yeh]

Hi Steven,

Your post was very helpful! How did you configure the API Gateway trigger in Lambda using Terraform? I can't find a way to do it and so far, I can only do it manually in AWS (Lambda, Trigger tab)

Thanks,

Estelle

[Kamlesh Mutha]

How do we fix "Invalid permissions on Lambda function" errors? I'm also getting the same error as Estelle, Yuttana mentioned. 

[Giuseppe Borgese]

hello to everybody

to resolve the 

Invalid permissions on Lambda function

you need to apply the code posted in the Steven Ferro's message  

resource "aws_lambda_permission" "allow_api_gateway" {
    function_name = "${aws_lambda_function.test_lambda.function_name}"
    statement_id = "AllowExecutionFromApiGateway"
    action = "lambda:InvokeFunction"
    principal = "apigateway.amazonaws.com"
    source_arn = "arn:aws:execute-api:${var.region}:${var.account_id}:${aws_api_gateway_rest_api.test_api.id}/*/${aws_api_gateway_integration.test_test-get-integration.integration_http_method}${aws_api_gateway_resource.test_test.path}"
}

this basically do the same action that you do with the wizard 

you can use the test button in the api gw to see if the error is disappeared 

let me know if you resolve the problem or not

[Mark Steenbarger]

Thank you @Giuseppe that worked for me!!! 

-Mark

[Vishnu Sai]

@Steven Fierro , I am exactly facing the same issue , but didnt figure it out how to solve this...
It would be so helpful , if you help me through this

[Giuseppe Borgese]

Take a look to my examples 2 comments above