AccessDeniedException：使用 Terraform 创建 Lambda 时出现 UnknownError

我正在尝试通过 Terraform 创建一个简单的 Lambda。我收到一个错误，该错误在 Stack Overflow 上多次出现，我正在阅读解决方案，但它们对我不起作用。

当我

terraform apply

收到此错误时。

aws_lambda_function.get_snow: Creating...
╷
│ Error: creating Lambda Function (howmuchsnow_get_snow): operation error Lambda: CreateFunction, https response error StatusCode: 403, RequestID: b66dcc48-58f8-4806-9100-69950c011cd4, api error AccessDeniedException: UnknownError
│ 
│   with aws_lambda_function.get_snow,
│   on get-snow-lambda.tf line 58, in resource "aws_lambda_function" "get_snow":
│   58: resource "aws_lambda_function" "get_snow" {
│ 

我看过很多关于这个错误的帖子，所有这些问题都已通过向在命令行上执行

terraform apply

操作的 IAM 用户授予适当的权限来解决。但是，我的 IAM 用户具有管理员访问权限。

这是我在 terraform 会话环境中连接的 IAM 用户。

我的项目有两个文件。

terraform-backend.tf

terraform {
  required_version = ">= 1.2.7"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 5.19.0"
    }
  }

  backend "s3" {
    bucket         = "howmuchsnow-terraform-state"
    key            = "global/s3/terraform.tfstate"
    region         = "us-east-1" # Can't use a variable here - maybe an env var?
    dynamodb_table = "howmuchsnow-terraform-lock"
    encrypt        = true
  }
}

provider "aws" {
  region = var.aws_region
}

resource "aws_s3_bucket" "terraform_state" {
  bucket = "howmuchsnow-terraform-state"
}

resource "aws_s3_bucket_versioning" "terraform_state" {
  bucket = aws_s3_bucket.terraform_state.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "terraform_state" {
  bucket = aws_s3_bucket.terraform_state.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}

resource "aws_dynamodb_table" "terraform_lock" {
  name         = "howmuchsnow-terraform-lock"
  billing_mode = "PAY_PER_REQUEST"
  hash_key     = "LockID"
  attribute {
    name = "LockID"
    type = "S"
  }
}

获取-snow-lambda.tf

data "aws_iam_policy_document" "get_snow" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]
    principals {
      type        = "Service"
      identifiers = ["lambda.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "get_snow_lambda" {
  name               = "get_snow_lambda_role"
  assume_role_policy = data.aws_iam_policy_document.get_snow.json
}

resource "aws_cloudwatch_log_group" "get_snow_lambda" {
  name = "/aws/lambda/${aws_lambda_function.get_snow.function_name}"
  retention_in_days = var.log_retention
}

data "aws_iam_policy_document" "get_snow_lambda" {
  statement {
    actions = [
      "logs:CreateLogGroup",
      "logs:CreateLogStream",
      "logs:PutLogEvents",
    ]
    resources = ["arn:aws:logs:*:*:*"]
  }
}

resource "aws_iam_role_policy" "get_snow_lambda" {
  name   = "howmuchsnow_get_snow_lambda_policy"
  policy = data.aws_iam_policy_document.get_snow_lambda.json
  role   = aws_iam_role.get_snow_lambda.id
}

data "archive_file" "get_snow_lambda" {
  type        = "zip"
  source_file = "${path.module}/lambdas/get_snow.py"
  output_path = "${path.module}/lambdas/get_snow.zip"
}

resource "aws_lambda_function" "get_snow" {
  function_name    = "howmuchsnow_get_snow"
  filename         = data.archive_file.get_snow_lambda.output_path
  handler          = "get_snow.handler"
  source_code_hash = data.archive_file.get_snow_lambda.output_base64sha256
  runtime          = "python3.10"
  role             = aws_iam_role.get_snow_lambda.arn
}

也供参考：

Terraform v1.6.0
on linux_amd64
+ provider registry.terraform.io/hashicorp/archive v2.4.0
+ provider registry.terraform.io/hashicorp/aws v5.19.0