aws_s3_bucket_notification doesn't accept lambda version as a target

[daniel4yg]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.15.1 on darwin_amd64

• provider registry.terraform.io/hashicorp/aws v4.20.1

Affected Resource(s)

aws_s3_bucket_notification

Terraform Configuration Files

resource "aws_s3_bucket_notification" "bucket_notification" {
  bucket = data.aws_s3_bucket.bucket.id

  lambda_function {
    lambda_function_arn = arn:aws:lambda:eu-west-1:XYZ:function:FunctionName:Version
    events              = ["s3:ObjectCreated:Put"]
    filter_prefix       = "staging/prefix"
    filter_suffix       = "upload"
  }

  depends_on = [aws_lambda_permission.allow_bucket]
}

Expected Behaviour

Providing version or alias as a target (lambda_function_arn) is correct and should be working without returning the following error:

Error: error putting S3 Bucket Notification Configuration: InvalidArgument: Unable to validate the following destination configurations

https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketNotificationConfiguration.html

status code: 400

Actual Behavior

Error: error putting S3 Bucket Notification Configuration: InvalidArgument: Unable to validate the following destination configurations

status code: 400

Steps to Reproduce

1. terraform apply

[justinretzolk]

Hey @daniel4yg 👋 Thank you for taking the time to raise this! It looks like the error message you're receiving is coming from the AWS API rather than from Terraform or the AWS Provider. I've not been able to locate any specific AWS documentation on the compatibility of using a specific function version or alias for S3 bucket notifications, but it does seem like something that should work. Debug logs may help us get a better understanding of what's happening here; is that something you can provide (redacted as needed)?

[fredleger]

old issue but in case you found it from a search engine, you might be facing this issue because you never created a notification from s3 to a lambda function through the console in this aws account. It seems there is some magic done when you do it from the console the 1st time. Looked through the policies but didn't found an altered one after doing so ... give it a try

[GalOzRlz]

old issue but in case you found it from a search engine, you might be facing this issue because you never created a notification from s3 to a lambda function through the console in this aws account. It seems there is some magic done when you do it from the console the 1st time. Looked through the policies but didn't found an altered one after doing so ... give it a try

worked for me!

[charltonstanley]

old issue but in case you found it from a search engine, you might be facing this issue because you never created a notification from s3 to a lambda function through the console in this aws account. It seems there is some magic done when you do it from the console the 1st time. Looked through the policies but didn't found an altered one after doing so ... give it a try

I think the reason it worked after you did through the console is because a permission was added directly to the function allowing the s3 bucket to invoke the function. After seeing your comment, I remembered that these pesky permissions were a thing so I found an example of it right on the docs page for the aws_s3_bucket_notification resource.

Using the example, here is how mine ended up working, (to be clear, i did not the notification create through the console first.)

resource "aws_lambda_permission" "allow_s3_bucket_invoke" {
  statement_id  = "AllowExecutionFromS3Bucket"
  action        = "lambda:InvokeFunction"
  function_name = <your lambda function arn here>
  principal     = "s3.amazonaws.com"
  source_arn    = <your s3 bucket arn here>
}

resource "aws_s3_bucket_notification" "lambda_trigger" {
  bucket   = <your s3 bucket name here>
  lambda_function {
    lambda_function_arn = <your lambda function arn here>
    id                  = "ObjectCreatedEvents"
    events              = ["s3:ObjectCreated:*"]
    filter_prefix       = "metadata_triggers/"
    filter_suffix       = ".json"
  }
  depends_on = [
    aws_lambda_permission.allow_s3_bucket_invoke
  ]
}