Terraform 错误更新 CloudFront Distribution InvalidLambdaFunctionAssociation: 该函数不能有环境变量

Posted 2023-03-27

【中文标题】Terraform 错误更新 CloudFront Distribution InvalidLambdaFunctionAssociation: 该函数不能有环境变量

【英文标题】：Terraform error updating CloudFront Distribution InvalidLambdaFunctionAssociation: The function cannot have environment variables

【发布时间】：2021-10-15 20:48:16

【问题描述】：

我正在尝试构建一个 terraform 模板，该模板创建一个 AWS S3 存储桶、Cloudfront Distribution 和一个应该与 Cloudfront Distribution 关联的 Lambda 函数。

将“lambda_function_association”添加到 Cloudfront 资源后，我会遇到以下错误。

Error: error updating CloudFront Distribution (XXXXXXXXXXXXXXX): InvalidLambdaFunctionAssociation: The function cannot have environment variables. Function: arn:aws:lambda:us-east-1:XXXXXXXXXXXXX:function:testtools:4
status code: 400, request id: 3ce25af1-8341-41c0-8d35-4c3c91c2c001
with aws_cloudfront_distribution.testtools,
on main.tf line 42, in resource "aws_cloudfront_distribution" "testtools":
42: resource "aws_cloudfront_distribution" "testtools" 

lambda_function_association 
     event_type = "origin-response"
     lambda_arn = "$aws_lambda_function.testtools.qualified_arn"
     include_body = false

我认为它与函数关联内部使用的 lambda_arn 有关。

resource "aws_cloudfront_distribution" "testtools" 

    depends_on = [aws_s3_bucket.testtools, aws_lambda_function.testtools]

        origin 
            domain_name = aws_s3_bucket.testtools.bucket_regional_domain_name
            origin_id   = var.s3_origin_id

            s3_origin_config 
                origin_access_identity = aws_cloudfront_origin_access_identity.testtools.cloudfront_access_identity_path
            
        

        enabled             = true
        is_ipv6_enabled     = true
        comment             = "testtools"
        default_root_object = "index.html"
        provider            = aws

        logging_config 
            include_cookies = false
            bucket          = "testtools.s3.amazonaws.com"
            prefix          = "testtools"
        

        aliases = ["testtools.int.test.net"]

        default_cache_behavior 
            allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
            cached_methods   = ["GET", "HEAD"]
            target_origin_id = var.s3_origin_id

            forwarded_values 
                query_string = false

                cookies 
                    forward = "none"
                
            

            viewer_protocol_policy = "allow-all"
            min_ttl                = 0
            default_ttl            = 3600
            max_ttl                = 86400

            lambda_function_association 
                event_type = "origin-response"
                lambda_arn = "$aws_lambda_function.testtools.qualified_arn"
                include_body = false
            

        

        price_class = "PriceClass_200"

        restrictions 
            geo_restriction 
                restriction_type = "whitelist"
                locations        = ["DE", "AU", "CH", "BG"]
            
        

        tags = 
            Environment = "production"
        

        viewer_certificate 
            acm_certificate_arn = var.ssl_cert_arn
            ssl_support_method = "sni-only"
            minimum_protocol_version = "TLSv1"
        


resource "aws_lambda_function" "testtools" 
        filename      = "lambda_function_payload.zip"
        function_name = "testtools"
        role          = aws_iam_role.testtools.arn
        handler       = "index.test"
        publish       = true
        provider      = aws.useast1
        source_code_hash = filebase64sha256("lambda_function_payload.zip")

        runtime = "nodejs12.x"

        environment 
            variables = 
                foo = "bar"
            
        

【问题讨论】：

这很明显:-)

【参考方案1】：

使用 Lambda@edge 时，您的 lambda 必须遵守更多限制。一些限制还取决于您是将 lambda 链接到原始 req/res 还是查看器 req/res。

其中一个限制是您不能使用环境变量。您可以在此页面上找到更多信息：Lambda@Edge function restrictions