Search code examples
amazon-web-servicesterraformterraform-provider-aws

Lambda function eventbridge trigger is not getting configured using the Terraform

I am trying to configure the lambda function and cloudwatch event bridge trigger for the lambda to trigger based on the crontab and also pass some parameters while triggering the lambda function.

I am passing my tf file configuration here.

resource "aws_lambda_function" "lambda" {
  function_name = "dp_ing_sls_chr4g-om-lambda"
  filename      = "dp_ing_sls_chr4g-om-lambda.zip"
  handler       = "dp_ing_sls_chr4g-om-lambda.lambda_handler"
  role          = aws_iam_role.iam_for_lambda.arn
  runtime       = "python3.8"
  timeout       = 900
  memory_size   = 192
  package_type  = "Zip"
  architectures = ["x86_64"]
  ephemeral_storage {
    size = 512
  }
      
  tags = {
    product = var.tag
  }
}

resource "aws_cloudwatch_event_rule" "lambda_cron_trigger" {
  name                = "LambdaCronTrigger"
  schedule_expression = "cron(0 12 * * ? *)"  # Runs at 12:00 PM (UTC) every day
}
    
resource "aws_cloudwatch_event_target" "lambda_target" {
  rule      = aws_cloudwatch_event_rule.lambda_cron_trigger.name
  target_id = "LambdaTarget"
  arn       = aws_lambda_function.lambda.arn
  input = jsonencode({
    org = "CS",
    deployment = "dev"
  })
}
    
resource "aws_cloudwatch_log_group" "lambda_logs" {
  name              = "/aws/lambda/${aws_lambda_function.lambda.function_name}"
  retention_in_days = 3  # Set the retention period according to your requirements
}
    
resource "aws_iam_policy" "lambda_invoke_policy" {
  name        = "LambdaInvokePolicy"
  description = "Policy to allow CloudWatch Events to invoke Lambda function"
  policy = jsonencode({
      Version = "2012-10-17",
      Statement = [{
         Effect   = "Allow",
         Action   = "lambda:InvokeFunction",
         Resource = aws_lambda_function.lambda.arn
      }]
   })
}
    
resource "aws_iam_policy_attachment" "lambda_invoke_attachment" {
  name       = "LambdaInvokeAttachment"
  policy_arn = aws_iam_policy.lambda_invoke_policy.arn
  roles      = [aws_iam_role.iam_for_lambda.arn]
}
    
# # section for lambda iam role
    
resource "aws_iam_role" "iam_for_lambda" {
  name = "iam_for_lambda"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
       {
          Action = "sts:AssumeRole"
          Effect = "Allow"
          Sid    = ""
          Principal = {
            Service = "lambda.amazonaws.com"
          }
       },
     ]
  })
}

When I am running this all the resources all getting created properly. I can see event bridge trigger as well in the cloudwatch but the trigger is not getting attached to the Lambda function.

With More research I got to know some policies are missing due to the trigger not getting configured to the lambda function.

Solution

  • It looks like you are missing the Lambda permission resource, which then allows some service (or a resource) to trigger it:

    resource "aws_lambda_permission" "allow_eventbridge" {
  statement_id  = "AllowExecutionFromEventBridge"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.lambda.function_name
  principal     = "events.amazonaws.com"
  source_arn    = aws_cloudwatch_event_rule.lambda_cron_trigger.arn
}