terraform - Terraform 错误创建 Lambda 函数:ResourceConflictException 与刚刚由 Terraform 创建的资源应用
问题描述
我正在我们账户的每个 AWS 区域中部署一个 Lambda 函数,并遇到奇怪的问题,即应用失败并针对某些 AWS 区域显示以下错误消息
Terraform 应用时出错
Error: Error creating Lambda function: ResourceConflictException: Function already exist: log-forwarder
{
RespMetadata: {
StatusCode: 409,
RequestID: "8cfd7260-7c4a-42d2-98c6-6619c7b2804f"
},
Message_: "Function already exist: log-forwarder",
Type: "User"
}
上面的 Lambda 函数刚刚由失败的同一 Terraform Apply 创建。
terraform plan 和 init 不会引发任何有关 TF 配置问题的错误。
计划和初始化都成功运行。
下面是我的目录结构
.
├── log_forwarder.tf
├── log_forwarder_lambdas
│ └── main.tf
└── providers.tf
下面是我的providers.tf
文件
provider "aws" {
region = "us-east-1"
version = "3.9.0"
}
provider "aws" {
alias = "us-east-2"
region = "us-east-2"
version = "3.9.0"
}
provider "aws" {
alias = "us-west-2"
region = "us-west-2"
version = "3.9.0"
}
provider "aws" {
alias = "us-west-1"
region = "us-west-1"
version = "3.9.0"
}
provider "aws" {
alias = "ca-central-1"
region = "ca-central-1"
version = "3.9.0"
}
... with all the AWS Regions.
下面是 tf 配置log_forwarder.tf
terraform {
required_version = "0.12.25"
backend "s3" {
All the backend Config
}
}
resource "aws_iam_role" "log_forwarder" {
name = "LogForwarder"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": ["lambda.amazonaws.com"]
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy" "log_forwarder" {
name = "LogForwarder"
role = aws_iam_role.log_forwarder.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:ListTags",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*",
"arn:aws:lambda:*"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": "*"
},
{
"Sid": "AWSDatadogPermissionsForCloudtrail",
"Effect": "Allow",
"Action": ["s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject", "s3:ListObjects"],
"Resource": [
"arn:aws:s3:::BucketName",
"arn:aws:s3:::BucketName/*"
]
}
]
}
EOF
}
module "DDLogForwarderUSEast1" {
source = "./log_forwarder_lambdas"
dd_log_forwarder_role = aws_iam_role.log_forwarder.arn
region = "us-east-1"
}
module "DDLogForwarderUSEast2" {
source = "./log_forwarder_lambdas"
dd_log_forwarder_role = aws_iam_role.log_forwarder.arn
providers = { aws = aws.us-east-2 }
region = "us-east-2"
}
module "DDLogForwarderUSWest1" {
source = "./log_forwarder_lambdas"
dd_log_forwarder_role = aws_iam_role.log_forwarder.arn
providers = { aws = aws.us-west-1 }
region = "us-west-1"
}
module "DDLogForwarderUSWest2" {
source = "./log_forwarder_lambdas"
dd_log_forwarder_role = aws_iam_role.log_forwarder.arn
region = "us-west-2"
providers = { aws = aws.us-west-2 }
}
module "DDLogForwarderAPEast1" {
source = "./log_forwarder_lambdas"
dd_log_forwarder_role = aws_iam_role.log_forwarder.arn
providers = { aws = aws.ap-east-1 }
region = "ap-east-1"
}
module "DDLogForwarderAPSouth1" {
source = "./log_forwarder_lambdas"
dd_log_forwarder_role = aws_iam_role.log_forwarder.arn
region = "ap-south-1"
providers = { aws = aws.ap-south-1 }
}
... All AWS Regions with different providers
TF 配置log_forwarder_lambdas/main.tf
variable "region" {}
variable "account_id" {
default = "AWS Account Id"
}
variable "dd_log_forwarder_role" {}
variable "exclude_at_match" {
default = "([A-Z]* RequestId: .*)"
}
data "aws_s3_bucket" "cloudtrail_bucket" {
count = var.region == "us-west-2" ? 1 : 0
bucket = "BucketName"
}
resource "aws_lambda_function" "log_forwarder" {
filename = "${path.cwd}/log_forwarder_lambdas/aws-dd-forwarder-3.16.3.zip"
function_name = "log-forwarder"
role = var.dd_log_forwarder_role
description = "Gathers logs from targetted Cloudwatch Log Groups and sends them to DataDog"
handler = "lambda_function.lambda_handler"
runtime = "python3.7"
timeout = 600
memory_size = 1024
layers = ["arn:aws:lambda:${var.region}:464622532012:layer:Datadog-Python37:11"]
environment {
variables = {
DD_ENHANCED_METRICS = false
EXCLUDE_AT_MATCH = var.exclude_at_match
}
}
}
resource "aws_cloudwatch_log_group" "log_forwarder" {
name = "/aws/lambda/${aws_lambda_function.log_forwarder.function_name}"
retention_in_days = 90
}
resource "aws_lambda_permission" "cloudtrail_bucket" {
count = var.region == "us-west-2" ? 1 : 0
statement_id = "AllowExecutionFromS3Bucket"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.log_forwarder.arn
principal = "s3.amazonaws.com"
source_arn = element(data.aws_s3_bucket.cloudtrail_bucket.*.arn, count.index)
}
resource "aws_s3_bucket_notification" "cloudtrail_bucket_notification" {
count = var.region == "us-west-2" ? 1 : 0
bucket = element(data.aws_s3_bucket.cloudtrail_bucket.*.id, count.index)
lambda_function {
lambda_function_arn = aws_lambda_function.log_forwarder.arn
events = ["s3:ObjectCreated:*"]
}
depends_on = [aws_lambda_permission.cloudtrail_bucket, aws_cloudwatch_log_group.log_forwarder]
}
在这种情况下,我使用的是 TF 0.12.25。
到目前为止我尝试过的事情。
- 每次运行 Terraform init/plan/apply 循环时,从根模块中删除 .terraform 文件夹
- 我试图尽可能地重构代码。
- 我在没有任何 CI 的情况下在本地运行 TF 计划/应用周期。
解决方案
乍一看,似乎 Lambda 函数可能不在您的 Terraform 状态(无论出于何种原因)。您是否更改了后端/从后端删除了数据?
运行一个terraform show
和/或terraform state show
并查看冲突的 Lambda 函数是否处于您的状态。
如果不是,但它已经存在于 AWS 中,您可以导入它。
见这里:https ://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#import
更新:
根据您的评论,由于资源存在于 AWS 但不在状态中,因此这是一个预期错误。(Terraform 不知道资源存在,因此尝试创建它;AWS 知道它已经存在,因此返回错误。)
你有两个选择:
- 删除 AWS 中的资源,再次运行 Terraform;或者
- 将现有资源导入 Terraform(推荐)。
尝试类似:
terraform import module.DDLogForwarderUSEast1.aws_lambda_function.log-forwarder log-forwarder
(如果在其他地区尝试此操作,请确保您设置了正确的提供商/地区!)
推荐阅读
- javascript - 如何在我的 evenlistener 上传递一个参数而不在页面加载时触发该函数?
- oracle-sqldeveloper - 拆分源数据以获得特定的数据预言机
- haskell - 为什么 kleisli 组合需要一个纯值?
- reactjs - 当客户端托管 MERN 堆栈时,API 调用不会转到服务器
- java - Azure 将 blob 容器复制到另一个具有不同层的 blob 容器 [java]
- php - 在 /var/www/html/projectname/bootstrap/app.php 中找不到类 'illuminate\foundation\application'
- azure - Azure AD 特权身份管理
- neo4j - 如何在 neo4j 4.xx 中使用算法
- excel - 多个数字标准的 SUMIFS
- command-line - 我可以从同一目录中的多个命令行提示符打开和运行吗?