Better Lambda error

[pauldraper]

When creating a Lambda function, I get

Error: Error creating Lambda function: ValidationException: 
	status code: 400, request id: 2db74e8f-49b6-4fe7-a005-55ac6afa6d23

I had used role name instead of role ARN. Does the API provide any further detail than status code 400 about the problem? If so, we should display that.

See also https://discuss.hashicorp.com/t/error-creating-lambda-function-validationexception/8192/3

[mac-transamerica]

Any updates on this. We are facing the same issue, and have no idea why. works in cli, so we need the real error message from terraform.

[pauldraper]

@mac-transamerica FWIW both my problem and the linked problem was using IAM Role name instead of IAM Role ARN. Something to check.

[ghost]

I'm stuck on the same error. Already spent over 2 hours trying to figure this out, these errors really need to provide more details. Ideally, validation should be checked during plan.

resource "aws_lambda_function" "json_upload" {
  filename      = local.archive_file_path
  function_name = local.function_name
  role          = aws_iam_role.json_upload.arn

  description      = "Uploads a JSON file to the S3 bucket"
  runtime          = "java11"
  memory_size      = 256
  handler          = "myhandler"
  source_code_hash = data.archive_file.lambda_zip.output_base64sha256

  vpc_config {
    subnet_ids = var.subnet_ids
    security_group_ids = [
      aws_security_group.json_upload.id,
    ]
  }

  environment {
    variables = {
      "MY_VAR" = trimspace(rsadecrypt((var.my_var), file("my.key")))
    }
  }

  lifecycle {
    ignore_changes = [
      source_code_hash,
    ]
  }
}

[cosbor11]

+1
I've have spend all day on trying to figure out what error is occurring and still have no hint, ValidationException is the Error message. There is no documentation anywhere on what possible causes for the "ValidationException". What is validation rule has been violation?????

[cosbor11]

This happens when invoking a lambda from within another lambda

[maryfromcolorado]

I've had this error for many reasons, and have spent countless hours trying to figure it out each time. Please fix this hashicorp, as lambdas are becoming critical infrastructure, and we need actual error to be able to resolve.

[IrmantasMarozas]

Stuck on this for 2 hours now, no idea what's wrong. I wouldn't mind if it was during plan, but now I have to apply change every time just to check.

[ricardoduval]

It's just sad the error message is so unhelpful and provides no insight whatsoever.

This is something that must be addressed as soon as possible. The amount of time spent trying to troubleshoot an error that you can find no correlation anywhere is absurd.

[ricardoduval]

I will actually retract my comment. In fact, what stinks is the AWS API response. I redacted the information of the execution in debug mode, but clearly, we can see the lack of any meaningful field in the response data.

2022-01-27T01:32:49.265Z [INFO]  provider.terraform-provider-aws_v3.69.0_x5: 2022/01/27 01:32:49 [DEBUG] [aws-sdk-go] DEBUG: Request lambda/CreateFunction Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST /2015-03-31/functions HTTP/1.1
Host: lambda.us-east-1.amazonaws.com
User-Agent: APN/1.0 HashiCorp/1.0 Terraform/1.0.5 (+https://www.terraform.io) terraform-provider-aws/3.69.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.42.18 (go1.16; linux; amd64)
Content-Length: 1478
Authorization: <REDACTED>, 
SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token, 
Signature=<REDACTED>
Content-Type: application/json
X-Amz-Date: 20220127T013249Z
X-Amz-Security-Token: <REDACTED>
Accept-Encoding: gzip

{"Code":{"ZipFile":"UEsDBBQA<REDACTED>AAAA="},"Description":"","Environment":{"Variables":{"RF_API_TOKEN":"rf/api/token","S3_INGEST_BUCKET":"xxxxxxxxxxxxxx"}},"FunctionName":"get_subdomains_from_rf","Handler":"get_subdomains.lambda_handler","MemorySize":128,"PackageType":"Zip","Publish":false,"Role":"arn:aws:iam::XXXXXXXX:role/acct-managed/ers-lambda-get_subdomains_from_rf-role","Runtime":"python3.8","Tags":{"Description":"This lambda gets the subdomains of the domains in the Domains List and ingests the data","Name":"Get Subdomains From RF","Source":"RF","Target":"xx"},"Timeout":120}
-----------------------------------------------------: timestamp=2022-01-27T01:32:49.264Z
2022-01-27T01:32:49.455Z [INFO]  provider.terraform-provider-aws_v3.69.0_x5: 2022/01/27 01:32:49 [DEBUG] [aws-sdk-go] DEBUG: Response lambda/CreateFunction Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 400 Bad Request
Content-Length: 594
Content-Type: application/json
Date: Thu, 27 Jan 2022 01:32:49 GMT
X-Amzn-Errortype: ValidationException
X-Amzn-Requestid: 37440ca9-0a51-4544-8aa3-881784cc9fbd


-----------------------------------------------------: timestamp=2022-01-27T01:32:49.454Z
2022-01-27T01:32:49.455Z [INFO]  provider.terraform-provider-aws_v3.69.0_x5: 2022/01/27 01:32:49 [DEBUG] [aws-sdk-go]: timestamp=2022-01-27T01:32:49.454Z
2022-01-27T01:32:49.455Z [INFO]  provider.terraform-provider-aws_v3.69.0_x5: 2022/01/27 01:32:49 [DEBUG] [aws-sdk-go] DEBUG: Validate Response lambda/CreateFunction failed, attempt 0/25, error ValidationException:
	status code: 400, request id: 37440ca9-0a51-4544-8aa3-881784cc9fbd: timestamp=2022-01-27T01:32:49.455Z
2022-01-27T01:32:49.455Z [INFO]  provider.terraform-provider-aws_v3.69.0_x5: 2022/01/27 01:32:49 [DEBUG] Unlocking "aws_lambda_function": timestamp=2022-01-27T01:32:49.455Z
2022-01-27T01:32:49.455Z [INFO]  provider.terraform-provider-aws_v3.69.0_x5: 2022/01/27 01:32:49 [DEBUG] Unlocked "aws_lambda_function": timestamp=2022-01-27T01:32:49.455Z
2022-01-27T01:32:49.458Z [DEBUG] Uploading remote state to S3: {
  Body: buffer(0xc0023ec630),

Although the client response is good :-(

$ aws lambda create-function --function-name get_subdomains_from_rf --runtime "python3.8" --role "arn:aws:iam::XXXXXXXXX:role/acct-managed/ers-lambda-get_subdomains_from_rf-role" --handler "get_subdomains.lambda_handler" --zip-file fileb://../../../terraform/module/lambda/files/get_subdomains_from_rf.zip --timeout 120 --package-type Zip --environment '{"Variables":{"RF_API_TOKEN":"rf/api/token","S3_INGEST_BUCKET":"xxxxxxx"}}' --tags '{"Description":"This lambda gets the subdomains of the domains in the Domains List and ingests the data","Name":"Get Subdomains From RF","Source":"RF","Target":"xxxxx <xxxxx>"}'

An error occurred (ValidationException) when calling the CreateFunction operation: 1 validation error detected: Value '{Target=xxxxx <xxxxx>, Description=This lambda gets the subdomains of the domains in the Domains List and ingests the data, Source=RF, Name=Get Subdomains From RF}' at 'tags' failed to satisfy constraint: Map value must satisfy constraint: [Member must have length less than or equal to 256, Member must have length greater than or equal to 0, Member must satisfy regular expression pattern: ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$]

[sergei-ivanov]

I have just wasted at least half a day trying to get to the root cause of ValidationException with absolutely no clues given by Terraform. Just like @ricardoduval I ran it Terraform with TF_LOG=DEBUG, which only confirmed the same error and did not give any further details. So I ended up crafting a command line equivalent which finally gave me a proper error message. In my case it was:

$ aws lambda create-function <...>

An error occurred (ValidationException) when calling the CreateFunction operation: 1 validation error detected: Value '1800' at 'timeout' failed to satisfy constraint: Member must have value less than or equal to 900

[sergei-ivanov]

TL;DR I think we have some compatibility problem between AWS SDK/API and the underlying AWS service for Lambda.

Faced with an obvious discrepancy in error reporting by AWS CLI and Terraform, I decided to dig a bit deeper.

Here's the API response, taken from the Terraform debug log:

2022-02-01T20:12:59.603Z [INFO]  provider.terraform-provider-aws_v3.74.0_x5: 2022/02/01 20:12:59 [DEBUG] [aws-sdk-go] DEBUG: Response lambda/CreateFunction Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 400 Bad Request
Content-Length: 147
Content-Type: application/json
Date: Tue, 01 Feb 2022 20:12:59 GMT
X-Amzn-Errortype: ValidationException
X-Amzn-Requestid: bdd1fc86-1e92-430f-b386-43b458f6c603


-----------------------------------------------------: timestamp=2022-02-01T20:12:59.603Z

Apparently there's 147 bytes of JSON content, which must be an encoded error message, which the provider needs to extract and return to Terraform. But the provider seems to throw away the error message and then we simply get a "computer says no" in the console:

│ Error: error creating Lambda Function (1): ValidationException: 
│ 	status code: 400, request id: bdd1fc86-1e92-430f-b386-43b458f6c603

So I tried to obtain the content of that error message. Running my AWS CLI command with --debug I got:

2022-02-02 00:42:23,232 - MainThread - urllib3.connectionpool - DEBUG - https://lambda.eu-west-2.amazonaws.com:443 "POST /2015-03-31/functions HTTP/1.1" 400 147
2022-02-02 00:42:23,233 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Wed, 02 Feb 2022 00:42:23 GMT', 'Content-Type': 'application/json', 'Content-Length': '147', 'Connection': 'keep-alive', 'x-amzn-RequestId': '78eca618-d5bb-41ab-8647-9d152a7fa349', 'x-amzn-ErrorType': 'ValidationException'}
2022-02-02 00:42:23,233 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"message":"1 validation error detected: Value \'1800\' at \'timeout\' failed to satisfy constraint: Member must have value less than or equal to 900"}'

And if I copy the request parameters from Terraform debug log and stick them into an HTTP client, I get a similar response:

HTTP/1.1 400 
Date: Wed, 02 Feb 2022 00:52:26 GMT
Content-Type: application/json
Content-Length: 147
Connection: keep-alive
x-amzn-RequestId: 5933fbf3-bde1-46ef-bc09-d6b8e2014803
x-amzn-ErrorType: ValidationException

{
  "message": "1 validation error detected: Value '1800' at 'timeout' failed to satisfy constraint: Member must have value less than or equal to 900"
}

But AWS API for CreateFunction does not list ValidationException among possible error types. The closest it gets to it is InvalidParameterValueException.

Likewise, aws-sdk-go does not have ValidationException in the list of generated exception classes for Lambda API, most likely because it is absent from the API schema. An example of API that does support ValidationException and has it in the generated API/SDK is ACM.

So I suspect that somehow Lambda service sends back an error type that is not part of the schema for Lambda API, and hence it is not recognised by aws-sdk-go, which makes it fall back to the default implementation, which does not know how to format the message.

[webdev-q3]

In my case it was name of the lambda function which was incorrect. I was using spaces and that's not allowed.

[jacobtb23]

Same for me. The function name and handler had invalid characters. Once I did that the error went away.

[dugshnay]

Using aws-sdk-go I received the same helpless ValidationException. In my case I was using a PackageType of zip instead of Zip. 😲 Case matters.

[chrisdlangton]

The issue for me was having a comma in the tag value
I had spent hours trying to figure it out too
It was only when I ABANDONED Terraform and used the AWS CLI directly (i.e. boto3, for which I contributed to myself before and easily saw how they provide good error feedback) and then went to the Go SDK and found the exact same validation ported to Go

It's simply to do validation when it's already shown and the same programming language
it's built in to AWS tools
all Hashicorp has to do is read AWS source in the Go SDK and copy/paste over the validation
Hashicorp are claiming their tools are not just at least as good as AWS, they claim they are better! And yet they don't even do the same validation, or much validation at all based on this thread

Poor effort when you look at a thread like this and feel the pain yourself it makes it blatantly obvious Hashicorp are not interested in maintaining good 'fundamental' tools anymore, their too focused on shiny new stuff

[Navapon]

For my case environment variable got extra space to spend an hour looking at it.

[micksatana]

In my case, it was about s3_existing_package bucket. The bucket should be name not ARN. Hope this might help someone.

[draoncc]

I've been attempting to replicate my Terraform plan with the AWS CLI, but when doing so the AWS CLI lambda create-function command creates the function successfully, whereas Terraform Cloud apply will fail with a nondescript ValidationException.

Here is a description of my specific case: https://stackoverflow.com/questions/74561968/terraform-cloud-apply-lambda-function-fails-with-validationexception-aws-cli-la

This is extremely frustrating and makes it practically impossible to effectively debug whatever issue I might be running into with validation.

Edit: It turns out that in tracing_mode = "Active", the word "Active" needs to be capitalized.

[remidebette]

Please deliver this, also lost precious hours debugging this

[jar-b]

This may be an upstream issue in the aws-go-sdk V1 library (see aws/aws-sdk-go#4733 for a complete writeup). In this case, the provider itself is not filtering any messaging returned from the CreateFunction call, the additional information just isn't there.

While we await a response on the bug report, we'll also investigate updating to V2 of the AWS Go SDK for the Lambda function resource.

[RanVaknin]

Hi everyone, I have posted my findings on the aws/aws-sdk-go#4733 thread.
Right now the team is shifting priorities in favor of enhanacing the v2 repo so pushing a fix will take a lower priority.

Apologies for the inconveniences,
Ran~

[github-actions]

This functionality has been released in v4.56.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.