terraform-aws-eventbridge
terraform-aws-eventbridge copied to clipboard
terraform-aws-modules
EventBridge rule doesn't trigger Lambda
This is really more of a question because I did manage to get this working eventually.
I had created an EventBridge "resource" that created a rule that was triggered on S3 object creation. This rule triggered a step function and everything worked fine:
# This simply enables EventBridge events being emitted from the S3 bucket
resource "aws_s3_bucket_notification" "enable_s3_bucket_eventbridge_notification" {
bucket = data.aws_s3_bucket.inbound.id
eventbridge = true
}
module "eventbridge" {
source = "terraform-aws-modules/eventbridge/aws"
version = "1.14.1"
# We should not create our own event bus since only the default event bus can
# receive events from Amazon services:
# https://stackoverflow.com/questions/70850567/default-vs-custom-eventbridge-bus
create_bus = false
role_name = "MyFeature_EventBridge_Role"
role_description = "My Feature EventBridge Role"
rules = {
data_ingress_object_creation = {
description = "Notification of S3 object creation"
event_pattern = jsonencode({
"source" : ["aws.s3"],
"detail-type" : ["Object Created"],
"detail" : {
"bucket" : {
"name" : [data.aws_s3_bucket.inbound.id]
}
}
})
}
}
targets = {
data_ingress_object_creation = [
{
name = "data_ingress_step_function_target"
arn = module.data_ingress_step_function.state_machine_arn
attach_role_arn = true
}
]
}
sfn_target_arns = [module.data_ingress_step_function.state_machine_arn]
attach_sfn_policy = true
}
And that was it, it just worked, my step function got triggered and ran fine without having to make any changes to the step function terraform resources.
But now, I need to do a similar thing but instead of triggering a StepFunction I need to trigger a Lambda directly.
What I did was copy the code that worked for the StepFunction above but of course I changed sfn_target_arns and attach_sfn_policy to lambda_target_arns and attach_lambda_policy as well as changing all the references to a step function over to the lambda.
My first problem was that I got an error that stated: ValidationException: RoleArn is not supported for target [my lambda arn].
So I removed the attach_role_arn = true settings from the target definition.
Then the terraform plan/apply went fine but the actual trigger didn't work. I added objects to the S3 bucket but the Lambda was never invoked.
After some poking around and creating my own manual EventBridge rule, I noticed that doing that resulted in a "Resource based policy" was created on the lambda, allowing the event bridge trigger to invoke it.
To make a long story short, we eventually got this to work by modifying the Terraform lambda definition and adding the following to it:
module "data_ingress_producer_lambda" {
source = "terraform-aws-modules/lambda/aws"
version = "3.3.1"
[ ... some stuff omitted, the config below is what needed to be added ... ]
create_current_version_allowed_triggers = false
allowed_triggers = {
AllowEventBridgeInvocation = {
principal = "events.amazonaws.com"
source_arn = module.eventbridge.eventbridge_rule_arns["data_ingress_object_creation"]
}
}
So my question is simply: do I actually need this configuration that I added to my lambda resource or am I missing something that I could adjust in the eventbridge resource so this happens automatically? It seems a bit odd to me that this would be needed for a lambda but not for a step function.
I was going to complain that this isn't that well documented but before doing that I (of course) noticed that this is "documented" in the complete example: https://github.com/terraform-aws-modules/terraform-aws-eventbridge/blob/master/examples/complete/main.tf#L329
Although, I could point out that there doesn't seem to be any explanation on why this is needed or that this is something that needs to be kept in mind for lambdas.
Hi @StFS
do I actually need this configuration that I added to my lambda resource or am I missing something that I could adjust in the eventbridge resource so this happens automatically?
You didn't miss anything, it's just the way you have to configure Lambdas.
The docs you're looking for are here https://github.com/terraform-aws-modules/terraform-aws-lambda#lambda-permissions-for-allowed-triggers and it's somewhat unrelated to EventBridge. But it's good that you've outlined your problem including the solution here.
@StFS I had the same experience, but when I created the EventBridge Rule on the AWS console I noticed the following warning that made me understand that the console made more than just the EventBridge configuration, but also the Lambda-side of the config:
Note: When using the EventBridge console, EventBridge will automatically configure the proper permissions for the selected targets. If you're using the AWS CLI, SDK, or CloudFormation, you'll need to configure the proper permissions.
This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue was automatically closed because of stale in 10 days
I'm going to lock this issue because it has been closed for 30 days β³. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.