aws_iot_topic_rule Creates Rule in IoT but does not actually trigger Lambda

[emazzotta]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.8
on linux_amd64

• provider registry.terraform.io/hashicorp/archive v2.2.0
• provider registry.terraform.io/hashicorp/aws v4.9.0
• provider registry.terraform.io/hashicorp/google-beta v4.17.0
• provider registry.terraform.io/hashicorp/random v3.1.2

Affected Resource(s)

• aws_iot_topic_rule

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_iot_topic_rule" "decommission_access_topic_rule" {
  name        = "${var.prefix}_decommission_access"
  description = "Decommission IoT device access"
  enabled     = true
  sql         = "SELECT * as data, topic(2) as id from 'roaster/+/decommission'"
  sql_version = "2016-03-23"

  lambda {
    function_arn = aws_lambda_function.decommissionRoasterAccess_lambda.arn
  }
}

resource "aws_lambda_function" "decommissionRoasterAccess_lambda" {
  function_name    = "${var.prefix}_decommissionRoasterAccess_lambda"
  filename         = "${path.module}/../lambdas/zips/iot-roaster-access-decommission.zip"
  source_code_hash = filebase64sha256("${path.module}/../lambdas/zips/iot-roaster-access-decommission.zip")
  role             = aws_iam_role.iam_lambda_role.arn
  runtime          = "python3.8"
  handler          = "lambda_function.decommission_access"

  depends_on = [
    aws_iam_role_policy_attachment.lambda_write_logs
  ]

  environment {
    variables = {
      REGION_NAME         = var.aws_region
      ROASTER_POLICY_NAME = aws_iot_policy.roaster_thing_policy.name
    }
  }
}

Debug Output

  # module.iot.aws_iot_topic_rule.decommission_access_topic_rule will be created
  + resource "aws_iot_topic_rule" "decommission_access_topic_rule" {
      + arn         = (known after apply)
      + description = "Decommission IoT device access"
      + enabled     = true
      + id          = (known after apply)
      + name        = "iot_staging_decommission_access"
      + sql         = "SELECT * as data, topic(2) as id from 'roaster/+/decommission'"
      + sql_version = "2016-03-23"
      + tags_all    = (known after apply)

      + lambda {
          + function_arn = (known after apply)
        }
    }

module.iot.aws_iot_topic_rule.decommission_access_topic_rule: Creating...
module.iot.aws_iot_topic_rule.decommission_access_topic_rule: Creation complete after 1s [id=iot_staging_decommission_access]

The logs don't hint at any issues during runtime.

Expected Behavior

When publishing to the topic roaster/<something>/decommission the Lambda decommissionRoasterAccess_lambda should be triggered.

Also, I would expect the IoT Rule triggering the Lambda to be visible in the AWS web UI both from the IoT and the Lambda perspective.

Actual Behavior

The Lambda is not triggered.

According to the AWS web UI the trigger is correctly registered from an IoT perspective:

However it is missing from the Lambda perspective:

Once I manually add it as the Lambda trigger here:

The Lambda triggers successfully as expected.

Alternatively, if I manually remove the Lambda from the IoT Rule perspective (by clicking on "Clear" and reselecting the same Lambda), the Lambda is correctly registered as a trigger and again, works successfully.

[justinretzolk]

Hey @emazzotta 👋 Thank you for taking the time to raise this! I started to look into it, which led me to this StackOverflow post that seems eerily similar to your situation. The answers within then led me to this AWS document which seems to indicate that this may be a permissions issue where you need to add an additional resource (or perhaps resources depending on your configuration) to allow IoT to invoke the Lambda function. Can you take a look over these documents and see if that resolves the issue you're seeing?

[emazzotta]

Hey @justinretzolk!

Thanks for the hint. I managed to fix it and it was indeed an issue with permissions.
I was under the impression that attaching the following policy to my IoT IAM role would suffice:

data "aws_iam_policy_document" "iam_invoke_lambda_policy_document" {
  statement {
    actions   = ["lambda:InvokeFunction"]
    resources = ["*"]
  }
}

However as it turns out, by checking the difference between a Lambda created by Terraform and one where I manually added the trigger I spotted the following difference:

Created via Terraform:

Edited manually:

This was the missing permission, enabling everything to work as expected:

resource "aws_lambda_permission" "decommission_access_topic_rule_permission" {
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.decommissionRoasterAccess_lambda.function_name
  principal     = "iot.amazonaws.com"
  source_arn    = aws_iot_topic_rule.decommission_access_topic_rule.arn
}

Thanks again for your input! 🙂

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.