如何解决创建Lambda函数时出现Terraform错误:应用带有Terraform刚创建的资源的ResourceConflictException
我正在帐户的每个AWS区域中部署Lambda函数,并遇到奇怪的问题,其中应用失败,其中某些AWS区域出现以下错误消息
应用Terraform时出错
Error: Error creating Lambda function: ResourceConflictException: Function already exist: log-forwarder
{
RespMetadata: {
StatusCode: 409,RequestID: "8cfd7260-7c4a-42d2-98c6-6619c7b2804f"
},Message_: "Function already exist: log-forwarder",Type: "User"
}
上面的Lambda函数刚由失败的同一Terraform Apply创建。
terraform计划和init不会引发任何有关TF配置问题的错误。
计划和初始化都成功运行。
下面是我的目录结构
.
├── log_forwarder.tf
├── log_forwarder_lambdas
│ └── main.tf
└── providers.tf
下面是我的providers.tf
文件
provider "aws" {
region = "us-east-1"
version = "3.9.0"
}
provider "aws" {
alias = "us-east-2"
region = "us-east-2"
version = "3.9.0"
}
provider "aws" {
alias = "us-west-2"
region = "us-west-2"
version = "3.9.0"
}
provider "aws" {
alias = "us-west-1"
region = "us-west-1"
version = "3.9.0"
}
provider "aws" {
alias = "ca-central-1"
region = "ca-central-1"
version = "3.9.0"
}
... with all the AWS Regions.
下面是log_forwarder.tf
的tf配置
terraform {
required_version = "0.12.25"
backend "s3" {
All the backend Config
}
}
resource "aws_iam_role" "log_forwarder" {
name = "LogForwarder"
assume_role_policy = <<EOF
{
"Version": "2012-10-17","Statement": [
{
"Sid": "","Effect": "Allow","Principal": {
"Service": ["lambda.amazonaws.com"]
},"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy" "log_forwarder" {
name = "LogForwarder"
role = aws_iam_role.log_forwarder.id
policy = <<EOF
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Action": [
"lambda:ListTags","logs:CreateLogGroup","logs:CreateLogStream","logs:PutLogEvents"
],"Resource": [
"arn:aws:logs:*","arn:aws:lambda:*"
]
},{
"Effect": "Allow","Action": [
"lambda:InvokeFunction"
],"Resource": "*"
},{
"Sid": "AWSDatadogPermissionsForCloudtrail","Action": ["s3:ListBucket","s3:GetBucketLocation","s3:GetObject","s3:ListObjects"],"Resource": [
"arn:aws:s3:::BucketName","arn:aws:s3:::BucketName/*"
]
}
]
}
EOF
}
module "DDLogForwarderUSEast1" {
source = "./log_forwarder_lambdas"
dd_log_forwarder_role = aws_iam_role.log_forwarder.arn
region = "us-east-1"
}
module "DDLogForwarderUSEast2" {
source = "./log_forwarder_lambdas"
dd_log_forwarder_role = aws_iam_role.log_forwarder.arn
providers = { aws = aws.us-east-2 }
region = "us-east-2"
}
module "DDLogForwarderUSWest1" {
source = "./log_forwarder_lambdas"
dd_log_forwarder_role = aws_iam_role.log_forwarder.arn
providers = { aws = aws.us-west-1 }
region = "us-west-1"
}
module "DDLogForwarderUSWest2" {
source = "./log_forwarder_lambdas"
dd_log_forwarder_role = aws_iam_role.log_forwarder.arn
region = "us-west-2"
providers = { aws = aws.us-west-2 }
}
module "DDLogForwarderAPEast1" {
source = "./log_forwarder_lambdas"
dd_log_forwarder_role = aws_iam_role.log_forwarder.arn
providers = { aws = aws.ap-east-1 }
region = "ap-east-1"
}
module "DDLogForwarderAPSouth1" {
source = "./log_forwarder_lambdas"
dd_log_forwarder_role = aws_iam_role.log_forwarder.arn
region = "ap-south-1"
providers = { aws = aws.ap-south-1 }
}
... All AWS Regions with different providers
log_forwarder_lambdas/main.tf
的TF配置
variable "region" {}
variable "account_id" {
default = "AWS Account Id"
}
variable "dd_log_forwarder_role" {}
variable "exclude_at_match" {
default = "([A-Z]* RequestId: .*)"
}
data "aws_s3_bucket" "cloudtrail_bucket" {
count = var.region == "us-west-2" ? 1 : 0
bucket = "BucketName"
}
resource "aws_lambda_function" "log_forwarder" {
filename = "${path.cwd}/log_forwarder_lambdas/aws-dd-forwarder-3.16.3.zip"
function_name = "log-forwarder"
role = var.dd_log_forwarder_role
description = "Gathers logs from targetted Cloudwatch Log Groups and sends them to DataDog"
handler = "lambda_function.lambda_handler"
runtime = "python3.7"
timeout = 600
memory_size = 1024
layers = ["arn:aws:lambda:${var.region}:464622532012:layer:Datadog-Python37:11"]
environment {
variables = {
DD_ENHANCED_METRICS = false
EXCLUDE_AT_MATCH = var.exclude_at_match
}
}
}
resource "aws_cloudwatch_log_group" "log_forwarder" {
name = "/aws/lambda/${aws_lambda_function.log_forwarder.function_name}"
retention_in_days = 90
}
resource "aws_lambda_permission" "cloudtrail_bucket" {
count = var.region == "us-west-2" ? 1 : 0
statement_id = "AllowExecutionFromS3Bucket"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.log_forwarder.arn
principal = "s3.amazonaws.com"
source_arn = element(data.aws_s3_bucket.cloudtrail_bucket.*.arn,count.index)
}
resource "aws_s3_bucket_notification" "cloudtrail_bucket_notification" {
count = var.region == "us-west-2" ? 1 : 0
bucket = element(data.aws_s3_bucket.cloudtrail_bucket.*.id,count.index)
lambda_function {
lambda_function_arn = aws_lambda_function.log_forwarder.arn
events = ["s3:ObjectCreated:*"]
}
depends_on = [aws_lambda_permission.cloudtrail_bucket,aws_cloudwatch_log_group.log_forwarder]
}
在这种情况下,我使用的是TF 0.12.25。
到目前为止我尝试过的事情。
- 每次我运行Terraform的init / plan / apply循环时,从根模块中删除.terraform文件夹
- 我尝试了尽可能多地重构代码。
- 我正在本地运行TF计划/申请周期,没有任何CI。
解决方法
乍看之下,Lambda函数似乎未处于Terraform状态(无论出于何种原因)。您是否更改了后端/从后端删除了数据?
运行terraform show
和/或terraform state show
,查看有冲突的Lambda函数是否处于您的状态。
如果不是,但是它已经存在于AWS中,则可以将其导入。
看到这里:https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#import
更新:
根据您的评论,由于资源存在于AWS中但不处于状态中,因此这是预期的错误。 (Terraform不知道资源存在,因此尝试创建它; AWS知道它已经存在,因此返回错误。)
您有两种选择:
- 在AWS中删除资源,然后再次运行Terraform;或
- 将现有资源导入Terraform(推荐)。
尝试类似的东西:
terraform import module.DDLogForwarderUSEast1.aws_lambda_function.log-forwarder log-forwarder
(如果在其他区域尝试此操作,请确保您设置了正确的提供者/区域!)
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。