Merge pull request #5182 from Originate/mb-fix-lambda-vpc-implementation

provider/aws: Fixes terraform crash when lambda VpcId is nil

builtin/providers/aws/resource_aws_lambda_function.go

@@ -173,32 +173,29 @@ func resourceAwsLambdaFunctionCreate(d *schema.ResourceData, meta interface{}) e
 	}
 
 	if v, ok := d.GetOk("vpc_config"); ok {
-		configs := v.([]interface{})
+		config, err := validateVPCConfig(v)
+		if err != nil {
+			return err
+		}
 
-		if len(configs) > 1 {
+		var subnetIds []*string
-			return errors.New("Only a single vpc_config block is expected")
+		for _, id := range config["subnet_ids"].(*schema.Set).List() {
-		} else if len(configs) == 1 {
+			subnetIds = append(subnetIds, aws.String(id.(string)))
-			config := configs[0].(map[string]interface{})
+		}
-			var subnetIds []*string
-			for _, id := range config["subnet_ids"].(*schema.Set).List() {
-				subnetIds = append(subnetIds, aws.String(id.(string)))
-			}
 
-			var securityGroupIds []*string
+		var securityGroupIds []*string
-			for _, id := range config["security_group_ids"].(*schema.Set).List() {
+		for _, id := range config["security_group_ids"].(*schema.Set).List() {
-				securityGroupIds = append(securityGroupIds, aws.String(id.(string)))
+			securityGroupIds = append(securityGroupIds, aws.String(id.(string)))
-			}
+		}
 
-			var vpcConfig = &lambda.VpcConfig{
+		params.VpcConfig = &lambda.VpcConfig{
-				SubnetIds:        subnetIds,
+			SubnetIds:        subnetIds,
-				SecurityGroupIds: securityGroupIds,
+			SecurityGroupIds: securityGroupIds,
-			}
-			params.VpcConfig = vpcConfig
 		}
 	}
 
 	// IAM profiles can take ~10 seconds to propagate in AWS:
-	//  http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#launch-instance-with-role-console
+	// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#launch-instance-with-role-console
 	// Error creating Lambda function: InvalidParameterValueException: The role defined for the task cannot be assumed by Lambda.
 	err := resource.Retry(1*time.Minute, func() error {
 		_, err := conn.CreateFunction(params)
@@ -257,7 +254,9 @@ func resourceAwsLambdaFunctionRead(d *schema.ResourceData, meta interface{}) err
 	d.Set("role", function.Role)
 	d.Set("runtime", function.Runtime)
 	d.Set("timeout", function.Timeout)
-	d.Set("vpc_config", flattenLambdaVpcConfigResponse(function.VpcConfig))
+	if config := flattenLambdaVpcConfigResponse(function.VpcConfig); len(config) > 0 {
+		d.Set("vpc_config", config)
+	}
 
 	return nil
 }
@@ -286,7 +285,28 @@ func resourceAwsLambdaFunctionDelete(d *schema.ResourceData, meta interface{}) e
 // resourceAwsLambdaFunctionUpdate maps to:
 // UpdateFunctionCode in the API / SDK
 func resourceAwsLambdaFunctionUpdate(d *schema.ResourceData, meta interface{}) error {
-	// conn := meta.(*AWSClient).lambdaconn
-
 	return nil
 }
+
+func validateVPCConfig(v interface{}) (map[string]interface{}, error) {
+	configs := v.([]interface{})
+	if len(configs) > 1 {
+		return nil, errors.New("Only a single vpc_config block is expected")
+	}
+
+	config, ok := configs[0].(map[string]interface{})
+
+	if !ok {
+		return nil, errors.New("vpc_config is <nil>")
+	}
+
+	if config["subnet_ids"].(*schema.Set).Len() == 0 {
+		return nil, errors.New("vpc_config.subnet_ids cannot be empty")
+	}
+
+	if config["security_group_ids"].(*schema.Set).Len() == 0 {
+		return nil, errors.New("vpc_config.security_group_ids cannot be empty")
+	}
+
+	return config, nil
+}

builtin/providers/aws/resource_aws_lambda_function_test.go

@@ -19,7 +19,26 @@ func TestAccAWSLambdaFunction_basic(t *testing.T) {
 		CheckDestroy: testAccCheckLambdaFunctionDestroy,
 		Steps: []resource.TestStep{
 			resource.TestStep{
-				Config: testAccAWSLambdaConfig,
+				Config: testAccAWSLambdaConfigBasic,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsLambdaFunctionExists("aws_lambda_function.lambda_function_test", &conf),
+					testAccCheckAWSLambdaAttributes(&conf),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAWSLambdaFunction_VPC(t *testing.T) {
+	var conf lambda.GetFunctionOutput
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckLambdaFunctionDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSLambdaConfigWithVPC,
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAwsLambdaFunctionExists("aws_lambda_function.lambda_function_test", &conf),
 					testAccCheckAWSLambdaAttributes(&conf),
@@ -96,7 +115,7 @@ func testAccCheckAWSLambdaAttributes(function *lambda.GetFunctionOutput) resourc
 	}
 }
 
-const testAccAWSLambdaConfig = `
+const baseAccAWSLambdaConfig = `
 resource "aws_iam_role_policy" "iam_policy_for_lambda" {
     name = "iam_policy_for_lambda"
     role = "${aws_iam_role.iam_for_lambda.id}"
@@ -179,6 +198,18 @@ resource "aws_security_group" "sg_for_lambda" {
   }
 }
 
+`
+
+const testAccAWSLambdaConfigBasic = baseAccAWSLambdaConfig + `
+resource "aws_lambda_function" "lambda_function_test" {
+    filename = "test-fixtures/lambdatest.zip"
+    function_name = "example_lambda_name"
+    role = "${aws_iam_role.iam_for_lambda.arn}"
+    handler = "exports.example"
+}
+`
+
+const testAccAWSLambdaConfigWithVPC = baseAccAWSLambdaConfig + `
 resource "aws_lambda_function" "lambda_function_test" {
     filename = "test-fixtures/lambdatest.zip"
     function_name = "example_lambda_name"

builtin/providers/aws/structure.go

@@ -688,9 +688,15 @@ func flattenLambdaVpcConfigResponse(s *lambda.VpcConfigResponse) []map[string]in
 		return nil
 	}
 
+	if len(s.SubnetIds) == 0 && len(s.SecurityGroupIds) == 0 && s.VpcId == nil {
+		return nil
+	}
+
 	settings["subnet_ids"] = schema.NewSet(schema.HashString, flattenStringList(s.SubnetIds))
 	settings["security_group_ids"] = schema.NewSet(schema.HashString, flattenStringList(s.SecurityGroupIds))
-	settings["vpc_id"] = *s.VpcId
+	if s.VpcId != nil {
+		settings["vpc_id"] = *s.VpcId
+	}
 
 	return []map[string]interface{}{settings}
 }