Terraform 0.12 aws_lambda_permission 资源每次申请都会更换
Terraform 0.12 aws_lambda_permission resource replaced every apply
我正在 Terraform v0.12 模块中动态创建以下资源:
variables.tf:
variable "stages" {
type = list(string)
default = ["v1", "v2"]
}
variable "rest_api_id" {
description = "The ID of the associated REST API"
}
variable "api_root_resource_id" {
description = "The API resource ID"
}
variable "region" {
description = "The AWS region"
}
variable "method" {
description = "The HTTP method"
default = "GET"
variable "lambda" {
description = "The lambda name to invoke"
}
variable "account_id" {
description = "The AWS account ID"
}
main.tf
resource "aws_lambda_permission" "lambda_permision" {
count = length(var.stages)
statement_id = "${var.lambda}${element(var.stages, count.index)}Invoke"
action = "lambda:InvokeFunction"
function_name = "${var.lambda}:${element(var.stages, count.index)}"
principal = "apigateway.amazonaws.com"
source_arn = "arn:aws:execute-api:${var.region}:${var.account_id}:${var.rest_api_id}/*/${var.method}${aws_api_gateway_resource.api_resource.path}"
}
输入不变。但是每次申请我都会收到以下通知:
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement
Terraform will perform the following actions:
# module.signurl_get.aws_lambda_permission.lambda_permision[0] must be replaced
-/+ resource "aws_lambda_permission" "lambda_permision" {
action = "lambda:InvokeFunction"
~ function_name = "peng_lambda_test_version_eu_dev" -> "peng_lambda_test_version_eu_dev:v1" # forces replacement
~ id = "peng_lambda_test_version_eu_devv1Invoke" -> (known after apply)
principal = "apigateway.amazonaws.com"
- qualifier = "v1" -> null # forces replacement
source_arn = "arn:aws:execute-api:eu-west-1:887428995966:t4m0c9z1uk/*/GET/signurl"
statement_id = "peng_lambda_test_version_eu_devv1Invoke"
}
# module.signurl_get.aws_lambda_permission.lambda_permision[1] must be replaced
-/+ resource "aws_lambda_permission" "lambda_permision" {
action = "lambda:InvokeFunction"
~ function_name = "peng_lambda_test_version_eu_dev" -> "peng_lambda_test_version_eu_dev:v2" # forces replacement
~ id = "peng_lambda_test_version_eu_devv2Invoke" -> (known after apply)
principal = "apigateway.amazonaws.com"
- qualifier = "v2" -> null # forces replacement
source_arn = "arn:aws:execute-api:eu-west-1:887428995966:t4m0c9z1uk/*/GET/signurl"
statement_id = "peng_lambda_test_version_eu_devv2Invoke"
}
使用 aws_lambda_permission 资源时,您的函数名称应改为 unqualified Lambda function name. If you need to specify an alias to version your Lambda then this should be done by using the qualifier parameter。
现在 Terraform 正在尝试将函数名称设置为包含限定符并将限定符设置为 nil。 AWS API 愉快地接受了它并做了你想让它做的事但是当 Terraform 刷新并更新它的状态时它看到函数名称已经删除了限定符并且已经设置了限定符参数所以它试图强制事情回到代码告诉它应该的方式。不幸的是,这也是一个不支持对 Lambda 权限资源进行就地升级的操作,因此它还需要删除现有的 Lambda 权限并重新创建。
从函数名称中删除限定符并将其添加到正确的 qualifier 参数中应该可以解决此问题:
resource "aws_lambda_permission" "lambda_permision" {
count = length(var.stages)
statement_id = "${var.lambda}${var.stages[count.index]}Invoke"
action = "lambda:InvokeFunction"
function_name = "${var.lambda}"
qualifier = ${var.stages[count.index]}"
principal = "apigateway.amazonaws.com"
source_arn = "arn:aws:execute-api:${var.region}:${var.account_id}:${var.rest_api_id}/*/${var.method}${aws_api_gateway_resource.api_resource.path}"
}
在上面的示例中,我还用带有方括号表示法的直接列表索引替换了您的 element 函数。 element 如果您需要多次循环遍历列表而不在索引中取模,则很有用,否则方括号符号往往更具可读性并且具有相同的行为。
正如您提到的,您使用的是 Terraform 0.12,您也可以在不连接字符串和变量时转向更新的语法:
resource "aws_lambda_permission" "lambda_permision" {
count = length(var.stages)
statement_id = "${var.lambda}${var.stages[count.index]}Invoke"
action = "lambda:InvokeFunction"
function_name = var.lambda
qualifier = var.stages[count.index]
principal = "apigateway.amazonaws.com"
source_arn = "arn:aws:execute-api:${var.region}:${var.account_id}:${var.rest_api_id}/*/${var.method}${aws_api_gateway_resource.api_resource.path}"
}
我正在 Terraform v0.12 模块中动态创建以下资源:
variables.tf:
variable "stages" {
type = list(string)
default = ["v1", "v2"]
}
variable "rest_api_id" {
description = "The ID of the associated REST API"
}
variable "api_root_resource_id" {
description = "The API resource ID"
}
variable "region" {
description = "The AWS region"
}
variable "method" {
description = "The HTTP method"
default = "GET"
variable "lambda" {
description = "The lambda name to invoke"
}
variable "account_id" {
description = "The AWS account ID"
}
main.tf
resource "aws_lambda_permission" "lambda_permision" {
count = length(var.stages)
statement_id = "${var.lambda}${element(var.stages, count.index)}Invoke"
action = "lambda:InvokeFunction"
function_name = "${var.lambda}:${element(var.stages, count.index)}"
principal = "apigateway.amazonaws.com"
source_arn = "arn:aws:execute-api:${var.region}:${var.account_id}:${var.rest_api_id}/*/${var.method}${aws_api_gateway_resource.api_resource.path}"
}
输入不变。但是每次申请我都会收到以下通知:
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement
Terraform will perform the following actions:
# module.signurl_get.aws_lambda_permission.lambda_permision[0] must be replaced
-/+ resource "aws_lambda_permission" "lambda_permision" {
action = "lambda:InvokeFunction"
~ function_name = "peng_lambda_test_version_eu_dev" -> "peng_lambda_test_version_eu_dev:v1" # forces replacement
~ id = "peng_lambda_test_version_eu_devv1Invoke" -> (known after apply)
principal = "apigateway.amazonaws.com"
- qualifier = "v1" -> null # forces replacement
source_arn = "arn:aws:execute-api:eu-west-1:887428995966:t4m0c9z1uk/*/GET/signurl"
statement_id = "peng_lambda_test_version_eu_devv1Invoke"
}
# module.signurl_get.aws_lambda_permission.lambda_permision[1] must be replaced
-/+ resource "aws_lambda_permission" "lambda_permision" {
action = "lambda:InvokeFunction"
~ function_name = "peng_lambda_test_version_eu_dev" -> "peng_lambda_test_version_eu_dev:v2" # forces replacement
~ id = "peng_lambda_test_version_eu_devv2Invoke" -> (known after apply)
principal = "apigateway.amazonaws.com"
- qualifier = "v2" -> null # forces replacement
source_arn = "arn:aws:execute-api:eu-west-1:887428995966:t4m0c9z1uk/*/GET/signurl"
statement_id = "peng_lambda_test_version_eu_devv2Invoke"
}
使用 aws_lambda_permission 资源时,您的函数名称应改为 unqualified Lambda function name. If you need to specify an alias to version your Lambda then this should be done by using the qualifier parameter。
现在 Terraform 正在尝试将函数名称设置为包含限定符并将限定符设置为 nil。 AWS API 愉快地接受了它并做了你想让它做的事但是当 Terraform 刷新并更新它的状态时它看到函数名称已经删除了限定符并且已经设置了限定符参数所以它试图强制事情回到代码告诉它应该的方式。不幸的是,这也是一个不支持对 Lambda 权限资源进行就地升级的操作,因此它还需要删除现有的 Lambda 权限并重新创建。
从函数名称中删除限定符并将其添加到正确的 qualifier 参数中应该可以解决此问题:
resource "aws_lambda_permission" "lambda_permision" {
count = length(var.stages)
statement_id = "${var.lambda}${var.stages[count.index]}Invoke"
action = "lambda:InvokeFunction"
function_name = "${var.lambda}"
qualifier = ${var.stages[count.index]}"
principal = "apigateway.amazonaws.com"
source_arn = "arn:aws:execute-api:${var.region}:${var.account_id}:${var.rest_api_id}/*/${var.method}${aws_api_gateway_resource.api_resource.path}"
}
在上面的示例中,我还用带有方括号表示法的直接列表索引替换了您的 element 函数。 element 如果您需要多次循环遍历列表而不在索引中取模,则很有用,否则方括号符号往往更具可读性并且具有相同的行为。
正如您提到的,您使用的是 Terraform 0.12,您也可以在不连接字符串和变量时转向更新的语法:
resource "aws_lambda_permission" "lambda_permision" {
count = length(var.stages)
statement_id = "${var.lambda}${var.stages[count.index]}Invoke"
action = "lambda:InvokeFunction"
function_name = var.lambda
qualifier = var.stages[count.index]
principal = "apigateway.amazonaws.com"
source_arn = "arn:aws:execute-api:${var.region}:${var.account_id}:${var.rest_api_id}/*/${var.method}${aws_api_gateway_resource.api_resource.path}"
}