I have a module I want to build that requires the Lambda role's ARN. Currently, these lambda's and the role are being built in a different repo so I want to use data blocks to get the ARN of the role attached to the lambda.
Currently what I've been trying to do is the following:
data "aws_lambda_function" "existing" {
function_name = var.function_name
}
data "aws_iam_role" "example" {
name = "${data.aws_lambda_function.existing.role}"
}
Where I'll use the following:
allowed-principal-arns = [
"${data.aws_iam_role.example.arn}"
]
However, I've been getting the following error:
│ Error: reading IAM Role (lambda_arn): ValidationError: The specified value for roleName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_- │ status code: 400, request id: *************** │ │ with module.secrets_manager.data.aws_iam_role.example, │ on module/secrets_manager/main.tf line 5, in data "aws_iam_role" "example": │ 5: data "aws_iam_role" "example" { │
Any ideas? I'm still kinda new to terraform.
I'm pretty sure the role value returned from data.aws_lambda_function.existing.role is an ARN, not a role name. The data source documentation is unfortunately lacking the details of that, but the resource requires the role to be an ARN, not a name, so the format returned from the data source should be an ARN also. It would also certainly explain the error message you are getting.
I think you can remove this code completely:
data "aws_iam_role" "example" {
name = "${data.aws_lambda_function.existing.role}"
}
And just do this:
allowed-principal-arns = [
data.aws_lambda_function.existing.role
]
Note, if you are just referencing a value in Terraform without doing any sort of string concatenation or anything, you don't need to wrap it in "${ }", you can just reference the value directly, so for example this:
allowed-principal-arns = [
"${data.aws_iam_role.example.arn}"
]
Can be simplified to this:
allowed-principal-arns = [
data.aws_iam_role.example.arn
]