destination_on_failure not working

[theburningmonk]

Description

When using the destination_on_failure on a Lambda function, the configured Failure Destination do not appear in the Lambda function console, nor is a

Versions

• Module version 7.17

• Terraform version: 1.10.3

• Provider version(s):
  aws: 5.82.2
  external v2.3.4
  local v2.5.2
  null v3.2.3

Reproduction Code [Required]

resource "aws_sqs_queue" "notify_restaurant_dlq" {
  name = "${var.service_name}-${var.stage_name}-notify-restaurant-dlq"
}

module "notify_restaurant_lambda" {
  source  = "terraform-aws-modules/lambda/aws"
  version = "~> 7.0"

  function_name = "${var.service_name}-${var.stage_name}-notify-restaurant"
  handler       = "index.handler"
  runtime       = "nodejs20.x"
  memory_size   = 1024
  timeout       = 6

  source_path = [{
    path = "${path.module}/../functions/notify-restaurant"
    commands = [
      "rm -rf node_modules",
      "npm ci --omit=dev",
      ":zip"
    ]
  }]

  environment_variables = {
    bus_name                      = module.eventbridge.eventbridge_bus_name
    restaurant_notification_topic = module.sns_restaurant_notifications.topic_arn
    idempotency_table             = module.dynamodb_idempotency_table.dynamodb_table_id
  }

  attach_policy_statements = true
  policy_statements = {
    eventbridge_put = {
      effect = "Allow"
      actions = [
        "events:PutEvents"
      ]
      resources = [module.eventbridge.eventbridge_bus_arn]
    }
    sns_publish = {
      effect = "Allow"
      actions = [
        "sns:Publish"
      ]
      resources = [module.sns_restaurant_notifications.topic_arn]
    }
    dynamodb_access = {
      effect = "Allow"
      actions = [
        "dynamodb:GetItem",
        "dynamodb:PutItem",
        "dynamodb:UpdateItem",
        "dynamodb:DeleteItem"
      ]
      resources = [module.dynamodb_idempotency_table.dynamodb_table_arn]
    }
    dlq_send = {
      effect = "Allow"
      actions = [
        "sqs:GetQueueAttributes",
        "sqs:GetQueueUrl",
        "sqs:SendMessage"
      ]
      resources = [aws_sqs_queue.notify_restaurant_dlq.arn]
    }
  }

  publish = true
  allowed_triggers = {
    EventBridge = {
      service    = "events"
      source_arn = module.eventbridge.eventbridge_rule_arns["notify_restaurant"]
    }
  }  

  cloudwatch_logs_retention_in_days = 7

  destination_on_failure = aws_sqs_queue.notify_restaurant_dlq.arn
}

Steps to reproduce the behavior:

Run terraform plan, followed by terraform apply

Expected behavior

A failure destination is attached to the Lambda funciton

Actual behavior

No failure destinations attached to the Lambda function

Terminal Output Screenshot(s)

Additional context

I inspected the terraform.tfstate after applying the changes, and I do not see any aws_lambda_function_event_invoke_config generated by the module. I assume that's what the module should have done?

p.s. manually adding an aws_lambda_function_event_invoke_config resource, and removing the destination_on_failure from the module, worked as expected.

resource "aws_lambda_function_event_invoke_config" "notify_restaurant" {
  function_name = module.notify_restaurant_lambda.lambda_function_name

  destination_config {
    on_failure {
      destination = aws_sqs_queue.notify_restaurant_dlq.arn
    }
  }
}

[antonbabenko]

Make sure that you specify create_async_event_config = true, since it is expected here in count:

terraform-aws-lambda/main.tf

Line 250 in 5da19e5

for_each = { for k, v in local.qualifiers : k => v if v != null && local.create && var.create_function && !var.create_layer && var.create_async_event_config }