The "InvalidParameterValueException" error occurs when creating AWS Lambda functions with Terraform due to invalid configuration parameters. Common causes include S3 bucket region mismatches, VPC permission issues, IAM role problems, or exceeding service quotas.
When Terraform attempts to create a Lambda function via the AWS API, AWS validates all provided parameters. The InvalidParameterValueException error indicates that at least one parameter value fails validation for the CreateFunction operation. Unlike syntax errors in Terraform itself, this error comes from AWS rejecting the configuration during the actual function creation. The root cause requires examining the specific error message alongside your Terraform configuration to identify which parameter AWS deemed invalid.
The S3 bucket containing your Lambda deployment package must be in the same AWS region as the Lambda function.
Check your Terraform configuration:
resource "aws_lambda_function" "example" {
filename = "lambda.zip"
s3_bucket = "my-bucket" # This bucket must be in same region as function
s3_key = "deployments/lambda.zip"
region = "us-east-1" # Lambda region
}Verify the S3 bucket location:
aws s3api get-bucket-location --bucket my-bucket --region us-east-1If the bucket is in a different region, either:
- Create a new S3 bucket in the Lambda region
- Or upload your deployment package to the existing bucket if it's in the correct region
Ensure the runtime you specified is currently supported by AWS Lambda. Deprecated runtimes like Python 2.7, Python 3.6, Node.js 10.x are no longer available.
Check your Terraform configuration:
resource "aws_lambda_function" "example" {
runtime = "python3.12" # Make sure this is supported
}Current supported runtimes include:
- Python: 3.9, 3.10, 3.11, 3.12
- Node.js: 18.x, 20.x
- Ruby: 3.2, 3.3
- Java: 11, 17, 21
- Go: 1.x
- .NET: 6, 8
Check AWS Lambda documentation for the latest supported runtimes and deprecation timelines.
Memory and timeout must be within valid AWS Lambda limits:
resource "aws_lambda_function" "example" {
memory_size = 256 # Must be 128-10240 MB, in 1 MB increments
timeout = 30 # Must be 1-900 seconds
}If you see errors like "MemorySize value failed to satisfy constraint", adjust the memory allocation. You can also request a quota increase via AWS Console if you need more memory than currently available in your account.
Handler format must match your runtime. Common formats:
Python:
handler = "lambda_function.handler" # file.function_nameNode.js:
handler = "index.handler" # file.function_nameGo:
handler = "main" # Binary name in ZIP rootJava:
handler = "com.example.App::handleRequest" # class::methodVerify the handler file exists in your deployment package and the function is exported correctly.
If using VPC configuration, the Lambda execution role must have permission to create and manage network interfaces:
resource "aws_iam_role" "lambda_role" {
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "lambda.amazonaws.com"
}
}]
})
}
resource "aws_iam_role_policy_attachment" "lambda_vpc_policy" {
role = aws_iam_role.lambda_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
resource "aws_lambda_function" "example" {
role = aws_iam_role.lambda_role.arn
vpc_config {
subnet_ids = [aws_subnet.example.id]
security_group_ids = [aws_security_group.example.id]
}
}Ensure the policy is attached BEFORE creating/updating the Lambda function. Use depends_on if needed.
Environment variables must not exceed 4 KB total size:
# Calculate size of your environment variables
echo -n "KEY1=value1KEY2=value2KEY3=value3" | wc -cIf you need to pass large configuration or credentials:
resource "aws_lambda_function" "example" {
# Use parameters from AWS Systems Manager instead of env vars
environment {
variables = {
SECRETS_ARN = aws_secretsmanager_secret.example.arn
}
}
}Update your Lambda code to fetch large values from AWS Secrets Manager or Parameter Store at runtime.
The combined size of function code plus all layers cannot exceed 262 MB:
# Check uncompressed size
unzip -l lambda.zip | tail -1
# Check compressed size
ls -lh lambda.zipIf you're hitting the limit:
resource "aws_lambda_function" "example" {
# Option 1: Remove unused dependencies
filename = "lambda-slim.zip"
# Option 2: Use Lambda layers for common libraries
layers = [aws_lambda_layer_version.dependencies.arn]
}In your Terraform apply, use two separate operations if updating both code and layers - apply without layers first, then add layers in a second apply.
If the error mentions $LATEST when adding permissions, set publish = true:
resource "aws_lambda_function" "example" {
publish = true # Creates a versioned function instead of $LATEST only
}
resource "aws_lambda_permission" "example" {
statement_id = "AllowAPIGateway"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.example.function_name
principal = "apigateway.amazonaws.com"
}This ensures you can attach permissions to specific versions.
If creating IAM role and Lambda function in the same Terraform apply, IAM changes may not have propagated yet:
resource "time_sleep" "wait_for_iam_propagation" {
create_duration = "10s"
depends_on = [
aws_iam_role_policy_attachment.lambda_policy
]
}
resource "aws_lambda_function" "example" {
role = aws_iam_role.lambda_role.arn
depends_on = [
time_sleep.wait_for_iam_propagation
]
}This ensures IAM role and policies are fully propagated before Lambda creation attempts.
When combining Lambda with Provisioned Concurrency and weighted aliases (for canary deployments), AWS temporarily makes the alias weighted, which prevents provisioned concurrency. Wait for the canary to finish before using provisioned concurrency. For sensitive information in error messages, upgrade terraform-provider-aws to a recent version that redacts sensitive values. In CI/CD environments, ensure the build runner can access the S3 bucket in the correct region. If using custom runtimes or container images, verify the image is in the same region as the Lambda function. For multi-region deployments, create separate S3 buckets per region and reference the correct bucket for each region's Lambda function.
Error: Error rendering template: template not found
How to fix "template not found" error in Terraform
Error: Error generating private key
How to fix 'Error generating private key' in Terraform
Error creating Kubernetes Service: field is immutable
How to fix "field is immutable" errors in Terraform
Error: Error creating local file: open: permission denied
How to fix "Error creating local file: permission denied" in Terraform
Error: line endings have changed from CRLF to LF
Line endings have changed from CRLF to LF in Terraform