Not able to configure Lambda Provisioned Concurrency.

[sreetejap]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform CLI version: 1.0.9
Terraform AWS Provider version: >=3.38

Affected Resource(s)

• aws_lambda_provisioned_concurrency_config

Terraform Configuration Files

resource "aws_lambda_function" "new_contact" {
  function_name    = module.aws_lambda_function_new_contact_label.id
  description      = "Managed by Terraform."
  filename         = data.archive_file.new_contact.output_path
  handler          = "new_contact.handler"
  role             = aws_iam_role.new_contact_lambda.arn
  layers           = [aws_lambda_layer_version.main.arn]
  runtime          = "nodejs12.x"
  source_code_hash = data.archive_file.new_contact.output_base64sha256
  tags             = module.aws_lambda_function_new_contact_label.tags
  timeout          = 3
  memory_size      = 128
  publish          = true

  environment {
    variables = {
      ENV_STAGE    = terraform.workspace,
      GSHEET_CREDS = module.ssm-parameter-store.values[2]
    }
  }
}

resource "aws_lambda_permission" "new_contact" {
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.new_contact.function_name
  principal     = "apigateway.amazonaws.com"
  source_arn    = "${aws_api_gateway_rest_api.gateway.execution_arn}/*/*/*"
}

resource "aws_lambda_alias" "new_contact_lambda_alias" {
  name             = module.aws_lambda_function_new_contact_alias_label.id
  function_name    = aws_lambda_function.new_contact.arn
  function_version = aws_lambda_function.new_contact.version
}

resource "aws_lambda_provisioned_concurrency_config" "new_contact_lambda_alias" {
  function_name                     = aws_lambda_alias.new_contact_lambda_alias.function_name
  provisioned_concurrent_executions = 1
  qualifier                         = aws_lambda_alias.new_contact_lambda_alias.name
  timeouts {
    create = "30m"
    update = "30m"
  }
}

Debug Output

error getting Lambda Provisioned Concurrency Config (arn:aws:lambda:ca-central-1:xxxxxxxxxxxx:function:ifs-dev-ax-newcontact:ifs-dev-ax-newcontact-alias): ValidationException:

Expected Behavior

It should have applied the configuration successfully during terraform apply and created resources

Actual Behavior

Provisioned Concurrency for lambda alias is created successfully in AWS console but failed in apply on command line with the above mentioned error and further terraform apply is not going through. The way around is manually removing aws_lambda_provisioned_concurrency_config resource from state using terraform state rm aws_lambda_provisioned_concurrency_config.new_contact_lambda_alias and remove manually in console and proceed with further applies.

Steps to Reproduce

1. terraform apply

[justinretzolk]

Hey @sreetejap 👋 Thank you for taking the time to file this, and for all of the great information you've already provided. In looking at this, I see that the error message you put in the debug output cuts off at ValidationException: -- can you also provide any following lines that give further details, or the whole debug log, so that we have all of the necessary information in order to look into this?

[alexjurkiewicz]

I can replicate the issue during plan. It appears Terraform is not providing the Qualifier as required by the API call.
https://docs.aws.amazon.com/lambda/latest/dg/API_GetProvisionedConcurrencyConfig.html

Looking at one of the requests in CloudTrail:

{
    # ...
    "requestParameters": {
        "functionName": "myfunction"
    },
    "responseElements": null,
    # ...
}

The plan doesn't show anything with debug logs except the error:

│ Error: error getting Lambda Provisioned Concurrency Config (arn:aws:lambda:ap-southeast-2:809245501444:function:myfunction:2): ValidationException: 
│ 	status code: 400, request id: fd216639-8bba-4e55-8b8d-74235dbbba5f
│ 
│   with aws_lambda_provisioned_concurrency_config.main["myfunction"],
│   on lambda.tf line 311, in resource "aws_lambda_provisioned_concurrency_config" "main":
│  311: resource "aws_lambda_provisioned_concurrency_config" "main" {

I suspect something is going wrong with determining the correct qualifier...

[alexjurkiewicz]

Looks like the error is because the resource ID should only be myfunction:2, but has somehow been set to the entire ARN...

[sreetejap]

I had this issue , I destroyed all configurations using terraform destroy and tried using lambda function name instead of arn in alias function resource. Luckily it worked ! But I suggest to change the docs in terraform registry for aws_lambda_alias function name attribute to refer to aws_lambda_function function name instead of arn.

[aldwyn]

@sreetejap 's solution worked on my end, but instead of destroying everything, just manually remove the concurrency config in the AWS console and execute terraform state rm <aws_lambda_provisioned_concurrency_config resource name> and run terraform apply again. The important thing here is that: instead of using the function's ARN as the alias' function_name value, use the actual Lambda function name but reference both the function_name and qualifier from the alias.

resource "aws_lambda_alias" "live" {
  count            = var.provisioned_concurrent_executions > -1 ? 1 : 0

  name             = "live"
  function_name    = aws_lambda_function.this.function_name
  function_version = aws_lambda_function.this.version
}

resource "aws_lambda_provisioned_concurrency_config" "live" {
  count         = length(aws_lambda_alias.live.*.arn)

  function_name = aws_lambda_alias.live[0].function_name
  qualifier     = aws_lambda_alias.live[0].name

  provisioned_concurrent_executions = var.provisioned_concurrent_executions
}

[dwysocki]

The docs for aws_lambda_alias still use the arn in the example. Can this be switched to the function_name instead to avoid this issue, or would that conflict with something else? Seems like the obvious default, as the field is called function_name.

See here

[github-actions]

This functionality has been released in v5.4.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.