Create Lambda within VPC fails due to missing policy

[x539]

Description

When using the the module to create lambdas inside a VPC, the creation could fail, with

Error: error creating Lambda Function (1): InvalidParameterValueException: The provided execution role does not have permissions to call CreateNetworkInterface on EC2

even though the configured policies include this permissions.

Versions

• Module version [Required]: 3.3.1

• Terraform version: v1.2.4 (linux_amd64)

• Provider version(s):

+ provider registry.terraform.io/hashicorp/aws v4.18.0
+ provider registry.terraform.io/hashicorp/external v2.2.2
+ provider registry.terraform.io/hashicorp/local v2.2.3
+ provider registry.terraform.io/hashicorp/null v3.1.1
+ provider registry.terraform.io/hashicorp/random v3.3.1

Reproduction Code [Required]

Steps to reproduce the behavior:

Run with terraform apply --parallelism=1

data "aws_vpc" "this" {
  id = aws_default_subnet.this.vpc_id
}
data "aws_iam_policy_document" "this" {
  statement {
    actions = [
      "ec2:CreateNetworkInterface",
      "ec2:DeleteNetworkInterface",
      "ec2:AssignPrivateIpAddresses",
      "ec2:UnassignPrivateIpAddresses",
    ]
    resources = ["*"]
    condition {
      test     = "ArnEqualsIfExists"
      variable = "ec2:vpc"
      values   = [data.aws_vpc.this.arn]
    }
  }
  statement {
    actions = [
      "ec2:DescribeNetworkInterfaces",
    ]
    resources = ["*"]
  }
  depends_on = [
    null_resource.bug
  ]
}
resource "null_resource" "bug" {
  depends_on = [
    module.bug.lambda_function_arn
  ]
}
resource "aws_default_subnet" "this" {
  availability_zone = "eu-central-1a"
}
resource "aws_default_security_group" "this" {
  vpc_id = aws_default_subnet.this.vpc_id
}
module "bug" {
  source  = "terraform-aws-modules/lambda/aws"
  version = "3.3.1"

  description   = "Reprodue Bug"
  function_name = "bug-test"

  handler = "noop.handler"
  runtime = "nodejs16.x"

  source_path = "${path.module}/noop.js"

  #   attach_network_policy = true
  attach_policy_json = true
  policy_json        = data.aws_iam_policy_document.this.json

  vpc_subnet_ids         = [aws_default_subnet.this.id]
  vpc_security_group_ids = [aws_default_security_group.this.id]

  publish = true
}

noop.js:

exports.handler = (event, _context, callback) => {
	callback(null, event);
}

Expected behavior

Should cleate the module.bug.aws_iam_role_policy_attachment.additional_josns[0] before module.bug.aws_lambda_function.this[0]

Actual behavior

Terroform tries to create module.bug.aws_lambda_function.this[0] before creating module.bug.aws_iam_role_policy_attachment.additional_josns[0] and fails with:

Error: error creating Lambda Function (1): InvalidParameterValueException: The provided execution role does not have permissions to call CreateNetworkInterface on EC2

Terminal Output

aws_default_subnet.this: Creating...
aws_default_subnet.this: Creation complete after 0s [id=subnet-XXXXX]
data.aws_vpc.this: Reading...
data.aws_vpc.this: Read complete after 1s [id=vpc-XXXXX]
aws_default_security_group.this: Creating...
aws_default_security_group.this: Creation complete after 0s [id=sg-XXXXX]
module.bug.local_file.archive_plan[0]: Creating...
module.bug.local_file.archive_plan[0]: Creation complete after 0s [id=30590ec4ebf9374632cb1501e521462f61e27456]
module.bug.aws_cloudwatch_log_group.lambda[0]: Creating...
module.bug.aws_cloudwatch_log_group.lambda[0]: Creation complete after 0s [id=/aws/lambda/bug-test]
module.bug.null_resource.archive[0]: Creating...
module.bug.null_resource.archive[0]: Provisioning with 'local-exec'...
module.bug.null_resource.archive[0] (local-exec): Executing: ["python3" ".terraform/modules/bug/package.py" "build" "--timestamp" "1657278760814226000" "builds/24f419b047a4f979aba7ae3e389890f01c4b32cfa3393e149198bae08575b07b.plan.json"]
module.bug.null_resource.archive[0] (local-exec): Reused: builds/24f419b047a4f979aba7ae3e389890f01c4b32cfa3393e149198bae08575b07b.zip
module.bug.null_resource.archive[0]: Creation complete after 0s [id=2037954491057665661]
module.bug.aws_iam_role.lambda[0]: Creating...
module.bug.aws_iam_role.lambda[0]: Creation complete after 2s [id=bug-test]
module.bug.aws_lambda_function.this[0]: Creating...
...
module.bug.aws_lambda_function.this[0]: Still creating... [4m50s elapsed]
module.bug.data.aws_iam_policy_document.logs[0]: Reading...
module.bug.data.aws_iam_policy_document.logs[0]: Read complete after 0s [id=2608391955]
module.bug.aws_iam_policy.logs[0]: Creating...
module.bug.aws_iam_policy.logs[0]: Creation complete after 1s [id=arn:aws:iam::XXXXX:policy/bug-test-logs]
module.bug.aws_iam_role_policy_attachment.logs[0]: Creating...
module.bug.aws_iam_role_policy_attachment.logs[0]: Creation complete after 0s [id=bug-test-20220708114853228900000001]
 |
 |  Error: error creating Lambda Function (1): InvalidParameterValueException: The provided execution role does not have permissions to call CreateNetworkInterface on EC2
│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "1fddced3-ecc3-46b8-aa1f-01f4f3dd45e9"
│   },
│   Message_: "The provided execution role does not have permissions to call CreateNetworkInterface on EC2",
│   Type: "User"
│ }
│ 
│   with module.bug.aws_lambda_function.this[0],
│   on .terraform/modules/bug/main.tf line 22, in resource "aws_lambda_function" "this":
│   22: resource "aws_lambda_function" "this" {
│ 

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions[bot]]

This issue was automatically closed because of stale in 10 days

[antonbabenko]

This issue has been resolved in version 4.0.1 :tada:

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.