Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Target group with lambda module - permission error #210

Closed
JCapriotti opened this issue Jun 30, 2021 · 5 comments
Closed

Target group with lambda module - permission error #210

JCapriotti opened this issue Jun 30, 2021 · 5 comments

Comments

@JCapriotti
Copy link

Description

When a target group references a Lambda ARN that is created within the Lambda module, and the Lambda module references the target group to grant permission to execute it, there's an error:

│ Error: Error registering targets with target group: AccessDenied: elasticloadbalancing principal does not have permission to invoke arn:aws:lambda:us-east-1:123456789012:function:app-test-service from target group arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/app-test-service/1234567890A
│ 	status code: 403, request id: 3a721e5a-6d47-493b-ad3c-6ec882213cb3
│
│   with module.service.module.alb.aws_lb_target_group_attachment.this["0.my_lambda"],
│   on .terraform/modules/service.alb/main.tf line 133, in resource "aws_lb_target_group_attachment" "this":
│  133: resource "aws_lb_target_group_attachment" "this" {

This scenario occurs in the complete-alb example code, and is mentioned in the comments here: https://github.com/terraform-aws-modules/terraform-aws-alb/blob/master/examples/complete-alb/main.tf#L308-L312

The workaround is to run terraform apply twice.

Versions

  • Terraform: 0.15 and 1.0
  • Provider(s): registry.terraform.io/hashicorp/aws v3.47.0
  • Module: terraform-aws-alb

Reproduction

Steps to reproduce the behavior:

  1. Run terraform apply with the example project: https://github.com/terraform-aws-modules/terraform-aws-alb/tree/master/examples/complete-alb

Expected behavior

Either:

  1. A single terraform apply works on the first try, if possible.
  2. Or, if it is expected and unable handled, a bigger/clearer callout about this scenario in the documentation.

Actual behavior

Error on the first terraform apply (mentioned in the description) and a success on the second terraform apply

Additional context

I assume this is tricky because of the resource dependencies within the two modules... just curious if there's any workaround I'm missing, or if not a better way to communicate it as a known issue.
@suppix
Copy link

suppix commented Nov 4, 2021

Hi. Have you found out how to fix this issue ?

@github-actions
Copy link

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

@github-actions github-actions bot added the stale label Jan 11, 2022
@github-actions
Copy link

This issue was automatically closed because of stale in 10 days

@eamonnmoloney eamonnmoloney mentioned this issue Mar 10, 2022
Merged
1 task
@eamonnmoloney
Copy link
Contributor

FYI, there is a fix for this in #240

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 15, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JCapriotti @eamonnmoloney @suppix