使用 Terraform 将 Lambda 函数附加到带有 ALB 的目标组时出现 403

tag-icon tag-icon terraform amazon-lambda amazon-alb
使用 Terraform 将 Lambda 函数附加到带有 ALB 的目标组时出现 403

我能够使用 Terraform 顺利创建实例、目标组和 ALB,但在尝试使用 Lambda 函数时却遇到了问题。看起来 Lambda 函数与 ALB 和目标组一起成功创建,但在将 Lambda 函数附加到目标组时失败了。

resource "aws_lambda_function" "LAMBDA_FUNCTION" {
  filename         = "../my_function.zip"
  function_name    = "my_function"
  role             = aws_iam_role.LAMBDA_ROLE.arn
  handler          = "my_function.lambda_handler"
  runtime          = "python3.8"
  memory_size      = 128
  description      = "My Lambda Function"
}
resource "aws_lb_target_group" "LB_TG" {
  name                               = "${local.env}-tg"
  target_type                        = "lambda"
  lambda_multi_value_headers_enabled = false
}
resource "aws_lb_target_group_attachment" "TG_ATTACHMENT" {
  target_group_arn        = aws_lb_target_group.LB_TG.arn
  target_id               = aws_lambda_function.LAMBDA_FUNCTION.arn
}

运行 terraform apply 时出现错误消息:

Error: Error registering targets with target group: AccessDenied: elasticloadbalancing principal does not have permission to invoke arn:aws:lambda:us-west-1:694058713236:function:my_function from target group arn:aws:elasticloadbalancing:us-west-1:694058713236:targetgroup/test-tg/9da892faefbe02b7
    status code: 403, request id: d13c36ed-2513-4d4c-97d0-2e449be859a1

据我所知,我缺少一个步骤,即我明确允许目标组或 Lambda 函数相互关联。

答案1

要实现此功能,还需要两个额外资源:

非常感谢博客文章

答案2

我遇到了类似的问题:

这个答案可能不是最好的。我尝试了很多选项,但都没有用。

我已经设置了以下模块:

创建 Lambda 函数

module "lambda_function_infra_lambda_app" {
  source = "../../../../modules/aws/lambda-function"

  function_name          = var.function_name.ila
  function_role          = local.lambda_role_arn
  function_architectures = var.function_architectures
  function_description   = var.function_description.ila
  function_handler       = var.function_handler.index
  function_memory_size   = var.function_memory_size
  function_package_type  = var.function_package_type.zip
  function_s3_bucket     = var.function_s3_bucket
  function_s3_key        = var.function_s3_key.ila
  function_image_uri     = null
  function_timeout       = var.function_timeout
  function_publish       = var.function_publish
  function_runtime       = var.function_runtime.node16
  # environment variables are updated only from the deployment pipeline
  environment_variables         = var.environment_variables
  vpc_config_subnet_ids         = [data.aws_subnets.public.ids[0], data.aws_subnets.public.ids[1], data.aws_subnets.public.ids[2]]
  vpc_config_security_group_ids = [data.aws_security_groups.lambda_functions.ids[0]]
  tag_environment               = local.tag_environment
  tag_terraform                 = local.tag_terraform.true
}

创建 Lambda 触发器/权限

module "lambda_permission_infra_lambda_app" {
  source = "../../../../modules/aws/lambda-permission"

  lambda_permission_statement_id = var.lambda_permission_statement_id.lb
  lambda_permission_action       = var.lambda_permission_action.invoke
  function_name                  = var.function_name.ila
  lambda_permission_principal    = var.lambda_permission_principal.lb
  lambda_permission_source_arn   = data.aws_lb.prod_alb_public_1.id
  lambda_permission_qualifier    = null

  depends_on = [
    module.lambda_function_infra_lambda_app
  ]
}

创建负载均衡器目标组

module "lb_target_group_infra_lambda_app" {
  source = "../../../../modules/aws/lb-target-group"

  lb_target_group_name     = var.lb_target_group_name.ila
  lb_target_group_port     = var.lb_target_group_port.80
  lb_target_group_protocol = var.lb_target_group_protocol.http
  lb_target_type           = var.lb_target_type.lambda
  vpc_id                   = local.vpc_id
  connection_termination   = var.connection_termination
  deregistration_delay     = var.deregistration_delay
  protocol_version         = var.protocol_version
  proxy_protocol_v2        = var.proxy_protocol_v2
  slow_start               = var.slow_start
  health_check_enabled     = var.health_check_enabled.true
  healthy_threshold        = var.healthy_threshold
  health_check_interval    = var.health_check_interval.300
  health_check_path        = var.health_check_path.root
  health_check_port        = null
  health_check_protocol    = var.health_check_protocol
  health_check_timeout     = var.health_check_timeout.5
  unhealthy_threshold      = var.unhealthy_threshold
  tag_environment          = local.tag_environment
  tag_terraform            = local.tag_terraform.true
  tag_application          = local.tag_application.ecs
}

创建负载均衡器目标组附件

module "lb_target_group_attachment_infra_lambda_app" {
  source = "../../../../modules/aws/lb-target-group-attachment"

  target_group_arn                = module.lb_target_group_infra_lambda_app.lb_target_group_arn
  target_id                       = data.aws_lambda_function.infra_lambda_app.arn
  lb_target_group_attachment_port = null
  availability_zone               = null

  depends_on = [module.lb_target_group_infra_lambda_app]
}

但是运行这个的时候我得到下面的错误创建负载均衡器目标组附件

│ 错误:向目标组注册目标时出错:AccessDenied:elasticloadbalancing 主体无权从目标组 arn:aws:elasticloadbalancing:eu-west-1:230835587296:targetgroup/infra-lambda-app/f35dfb6543a30220 调用 arn:aws:lambda:eu-west-1:230835587296:function:infra-lambda-app │ 状态代码:403,请求 ID:fe5cffaf-a58b-46ba-996e-fg15bc4124a1 │ │ 使用 module.lb_target_group_attachment_infra_lambda_app.aws_lb_target_group_attachment.main,│ 在 ../../../../modules/aws/lb-target-group-attachment/main.tf 上第 1 行,在资源“aws_lb_target_group_attachment”“main”中:│ 1:资源“aws_lb_target_group_attachment”“main”{

除最后一个模块外,其他模块均成功应用。

以下是我解决问题的方法

我所要做的就是在 AWS 控制台上手动注册目标:

EC2>目标群体>目标群体>注册目标>选择特定的 lambda 函数

之后,我可以使用以下方式注册 lambda 目标地形我还从目标组,并再次尝试地形对于那个特定的它仍然可以正常工作目标组以及具体Lambda 函数

相关内容