我正在通过Terraform一起部署API网关和Lambda函数,而Lambda函数是由API网关触发的。成功部署资源后,我测试API网关并得到响应:
{ “ message”:“内部服务器错误” }
API网关的实际日志说:
由于配置错误,执行失败:Lambda函数的权限无效
我可以通过转到API网关的集成请求部分,重新选择我现有的功能,然后用小勾号再次“保存”它来使api-lambda功能正常工作,但这会破坏自动化,我想要这个无需每次都执行手动步骤即可工作。不知道这是Terraform / AWS中的错误还是我做错了什么。 (发现有人问同样的问题,但使用SAM,但没有回应:Execution failed due to configuration error: Invalid permissions on Lambda function)
我当前的设置是通过一个庞大的json文件部署API,并且Lambda Invoke ARN用作该文件集成部分中的URI。我尝试过在硬编码的ARN和变量之间切换,但无济于事。我也尝试过包含aws_api_gateway_deployment和aws_api_gateway_integration资源,但我发现如果我已经使用了swagger文件,则使用这些文件将与swagger文件已经构建的文件冲突。
我的api_gateway模块的main.tf如下:
resource "aws_api_gateway_rest_api" "post_session" {
name = "${var.api_gateway_name}"
body = "${data.template_file.post-session.rendered}"
endpoint_configuration {
types = ["PRIVATE"]
}
}
data "template_file" "post-session" {
template = "${file("../source/aapt-ual-post-session-v1-swagger-apigateway.json")}"
vars {
session_init_arn = "${var.session_init_function_arn}"
}
}
我摇摇欲坠的文件的相关部分如下所示:
"x-amazon-apigateway-integration": {
"uri": "${session_init_arn}",
"responses": {
"default": {
"statusCode": "200"
}
},
"requestTemplates": {
"application/json": ....
我的Lambda模块的lambda_permission / api_gateway触发器部分如下所示:
resource "aws_lambda_permission" "post_session_trigger" {
statement_id = "Allow_My_Post_Session_Invoke"
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.init_function.function_name}"
principal = "apigateway.amazonaws.com"
source_arn = "arn:aws:execute-api:us-east-1:${var.account_id}:${var.post_session_id}/v1/POST/aa/ual/session"
}
如果您有任何建议,请告诉我,谢谢!
答案 0 :(得分:1)
根据Denis Weerasiri的建议,在API网关的“集成”部分中重新选择Lambda函数名称后,我检查了Lambda权限,并添加了另一个策略。我需要进行的更改是将Lambda函数资源中的source_arn中的v1更改为*。因此,我的Lambda模块中的新API网关触发器如下所示:
resource "aws_lambda_permission" "post_session_trigger" {
statement_id = "Allow_My_Post_Session_Invoke"
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.init_function.function_name}"
principal = "apigateway.amazonaws.com"
source_arn = "arn:aws:execute-api:us-east-1:${var.account_id}:${var.post_session_id}/*/POST/aa/ual/session"}
答案 1 :(得分:1)
我有一个类似的问题,并且正在使用Terraform。它需要其中带有“ POST”的策略。出于某种原因,/ * /(通配符)策略不起作用?
这是我用来解决此问题的策略和示例地形。
非常感谢以上所有内容。
这是我的Lambda函数策略JSON的样子和地形:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "AllowAPIGatewayInvoke",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:999999999999:function:MY-APP",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:execute-api:us-east-1:999999999999:d85kyq3jx3/test/*/MY-APP"
}
}
},
{
"Sid": "e841fc76-c755-43b5-bd2c-53edf052cb3e",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:999999999999:function:MY-APP",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:execute-api:us-east-1:999999999999:d85kyq3jx3/*/POST/MY-APP"
}
}
}
]
}
add in a terraform like this:
//************************************************
// allows you to read in the ARN and parse out needed info, like region, and account
//************************************************
data "aws_arn" "api_gw_deployment_arn" {
arn = aws_api_gateway_deployment.MY-APP_deployment.execution_arn
}
//************************************************
// Add in this to support API GW testing in AWS Console.
//************************************************
resource "aws_lambda_permission" "apigw-post" {
statement_id = "AllowAPIGatewayInvokePOST"
action = "lambda:InvokeFunction"
//function_name = aws_lambda_function.lambda-MY-APP.arn
function_name = module.lambda.function_name
principal = "apigateway.amazonaws.com"
// "arn:aws:execute-api:us-east-1:473097069755:708lig5xuc/dev/POST1/cloudability-church-ws"
source_arn = "arn:aws:execute-api:${data.aws_arn.api_gw_deployment_arn.region}:${data.aws_arn.api_gw_deployment_arn.account}:${aws_api_gateway_deployment.MY-APP_deployment.rest_api_id}/*/POST/${var.api_gateway_root_path}"
}