observeinc · obs-gh-justindaines · May 29, 2024 · May 7, 2025 · May 7, 2025 · Feb 23, 2026
diff --git a/.gitignore b/.gitignore
@@ -4,3 +4,5 @@ terraform.tfstate
 terraform.tfvars
 
 .terraform.lock.hcl
+
+.idea
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,10 +1,14 @@
-# [3.6.0](https://github.com/observeinc/terraform-aws-lambda/compare/v3.5.1...v3.6.0) (2024-05-01)
+# [3.7.0](https://github.com/observeinc/terraform-aws-lambda/compare/v3.6.0...v3.7.0) (2025-05-07)
+
+
+### Bug Fixes
+
+* Fix S3 Bucket Notification Configuration Validation Error OBSSD-612 ([a708fc6](https://github.com/observeinc/terraform-aws-lambda/commit/a708fc6f17fadf1330c048d4165a1a3385de8a9b))
 
 
 ### Features
 
-* allow KMS encryption of token environment variable ([#83](https://github.com/observeinc/terraform-aws-lambda/issues/83)) ([5d209d5](https://github.com/observeinc/terraform-aws-lambda/commit/5d209d56d478e3e810d4e65bc26eb6daed95beca))
-* bump min terraform version to 1.1.1 ([#85](https://github.com/observeinc/terraform-aws-lambda/issues/85)) ([c660124](https://github.com/observeinc/terraform-aws-lambda/commit/c660124248bc0a3a3ef2a2d96dcef982e85af68e))
+* Update for apigatewayv2 ([a191b9c](https://github.com/observeinc/terraform-aws-lambda/commit/a191b9c8678d9f2c3aecfce14e6d0a5d8e7371fb))
 
 
 
diff --git a/README.md b/README.md
@@ -20,7 +20,7 @@ Additionally, this repository provides submodules to interact with the lambda fu
 
 * [Upload S3 objects using S3 bucket notifications](https://github.com/observeinc/terraform-aws-lambda/tree/main/modules/s3_bucket_subscription)
 * [Subscribe CloudWatch Logs to Observe Lambda](https://github.com/observeinc/terraform-aws-lambda/tree/main/modules/cloudwatch_logs_subscription)
-* [Collect API snapshots](https://github.com/observeinc/terraform-aws-lambda/tree/main/snapshot)
+* [Collect API snapshots](https://github.com/observeinc/terraform-aws-lambda/tree/main/modules/snapshot)
 
 ## Examples
 

diff --git a/examples/vpc_config/vpc.tf b/examples/vpc_config/vpc.tf
@@ -9,7 +9,7 @@ resource "aws_internet_gateway" "gw" {
 }
 
 resource "aws_eip" "nat" {
-  vpc        = true
+  domain     = "vpc"
   depends_on = [aws_internet_gateway.gw]
 }
 

diff --git a/main.tf b/main.tf
@@ -1,28 +1,28 @@
 locals {
-  default_lambda_bucket = format("observeinc-%s", data.aws_region.current.name)
+  default_lambda_bucket = format("observeinc-%s", data.aws_region.current.id)
   lambda_iam_role_arn   = var.lambda_iam_role_arn != "" ? var.lambda_iam_role_arn : aws_iam_role.lambda[0].arn
   lambda_iam_role_name  = regex(".*role/(?P<role_name>.*)$", local.lambda_iam_role_arn)["role_name"]
-  s3_bucket             = var.s3_bucket != "" ? var.s3_bucket : lookup(var.s3_regional_buckets, data.aws_region.current.name, local.default_lambda_bucket)
+  s3_bucket             = var.s3_bucket != "" ? var.s3_bucket : lookup(var.s3_regional_buckets, data.aws_region.current.id, local.default_lambda_bucket)
   s3_key                = var.s3_key != "" ? var.s3_key : join("/", [var.s3_key_prefix, format("%s.zip", var.lambda_version)])
   observe_token         = var.kms_key != null ? aws_kms_ciphertext.token[0].ciphertext_blob : var.observe_token
   goarch = lookup(
     {
       "amd64" : {
         architectures = ["x86_64"]
         handler       = "bootstrap"
-        runtime       = "provided.al2"
+        runtime       = "provided.al2023"
       }
       "arm64" : {
         architectures = ["arm64"]
         handler       = "bootstrap"
-        runtime       = "provided.al2"
+        runtime       = "provided.al2023"
       }
     },
     split("/", var.lambda_version)[0],
     {
       architectures = null
-      handler       = "main"
-      runtime       = "go1.x"
+      handler       = "bootstrap"
+      runtime       = "provided.al2023"
     },
   )
 }

diff --git a/modules/s3_bucket/main.tf b/modules/s3_bucket/main.tf
@@ -42,8 +42,6 @@ module "s3_bucket" {
   tags = var.tags
 }
 
-data "aws_redshift_service_account" "this" {}
-
 data "aws_iam_policy_document" "bucket" {
   statement {
     sid    = "AWSCloudTrailWrite"
@@ -134,8 +132,8 @@ data "aws_iam_policy_document" "bucket" {
     effect = "Allow"
 
     principals {
-      type        = "AWS"
-      identifiers = [data.aws_redshift_service_account.this.arn]
+      type        = "Service"
+      identifiers = ["redshift.amazonaws.com"]
     }
 
     actions = [
@@ -152,8 +150,8 @@ data "aws_iam_policy_document" "bucket" {
     effect = "Allow"
 
     principals {
-      type        = "AWS"
-      identifiers = [data.aws_redshift_service_account.this.arn]
+      type        = "Service"
+      identifiers = ["redshift.amazonaws.com"]
     }
 
     actions = [

diff --git a/modules/s3_bucket_subscription/main.tf b/modules/s3_bucket_subscription/main.tf
@@ -28,6 +28,7 @@ resource "aws_s3_bucket_notification" "notification" {
     filter_prefix       = var.filter_prefix
     filter_suffix       = var.filter_suffix
   }
+  depends_on = [aws_lambda_permission.allow_bucket]
 }
 
 resource "aws_iam_policy" "s3_bucket_read" {

diff --git a/modules/snapshot/README.md b/modules/snapshot/README.md
@@ -123,7 +123,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_action"></a> [action](#input\_action) | List of actions allowed by policy and periodically triggered. By default,<br>this list contains all policies which the lambda can act upon. You should<br>only override this list if you do not want to execute more actions as they<br>become available in future lambda upgrades. If you instead wish to extend<br>this list, or ignore a subset of actions, use \"include\" and \"exclude\". | `list(string)` | <pre>[<br>  "apigateway:Get*",<br>  "autoscaling:Describe*",<br>  "cloudformation:Describe*",<br>  "cloudformation:List*",<br>  "cloudfront:List*",<br>  "dynamodb:Describe*",<br>  "dynamodb:List*",<br>  "ec2:Describe*",<br>  "ecs:Describe*",<br>  "ecs:List*",<br>  "eks:Describe*",<br>  "eks:List*",<br>  "elasticbeanstalk:Describe*",<br>  "elasticache:Describe*",<br>  "elasticfilesystem:Describe*",<br>  "elasticloadbalancing:Describe*",<br>  "elasticmapreduce:Describe*",<br>  "elasticmapreduce:List*",<br>  "events:List*",<br>  "firehose:Describe*",<br>  "firehose:List*",<br>  "iam:Get*",<br>  "iam:List*",<br>  "kinesis:Describe*",<br>  "kinesis:List*",<br>  "kms:Describe*",<br>  "kms:List*",<br>  "lambda:List*",<br>  "logs:Describe*",<br>  "organizations:Describe*",<br>  "organizations:List*",<br>  "rds:Describe*",<br>  "redshift:Describe*",<br>  "route53:List*",<br>  "s3:GetBucket*",<br>  "s3:List*",<br>  "secretsmanager:List*",<br>  "sns:Get*",<br>  "sns:List*",<br>  "sqs:Get*",<br>  "sqs:List*",<br>  "synthetics:Describe*",<br>  "synthetics:List*"<br>]</pre> | no |
+| <a name="input_action"></a> [action](#input\_action) | List of actions allowed by policy and periodically triggered. By default,<br>this list contains all policies which the lambda can act upon. You should<br>only override this list if you do not want to execute more actions as they<br>become available in future lambda upgrades. If you instead wish to extend<br>this list, or ignore a subset of actions, use \"include\" and \"exclude\". | `list(string)` | <pre>[<br>  "apigateway:Get*",<br>  "apigatewayv2:Get*",<br>  "autoscaling:Describe*",<br>  "cloudformation:Describe*",<br>  "cloudformation:List*",<br>  "cloudfront:List*",<br>  "dynamodb:Describe*",<br>  "dynamodb:List*",<br>  "ec2:Describe*",<br>  "ecs:Describe*",<br>  "ecs:List*",<br>  "eks:Describe*",<br>  "eks:List*",<br>  "elasticbeanstalk:Describe*",<br>  "elasticache:Describe*",<br>  "elasticfilesystem:Describe*",<br>  "elasticloadbalancing:Describe*",<br>  "elasticmapreduce:Describe*",<br>  "elasticmapreduce:List*",<br>  "events:List*",<br>  "firehose:Describe*",<br>  "firehose:List*",<br>  "iam:Get*",<br>  "iam:List*",<br>  "kinesis:Describe*",<br>  "kinesis:List*",<br>  "kms:Describe*",<br>  "kms:List*",<br>  "lambda:List*",<br>  "logs:Describe*",<br>  "organizations:Describe*",<br>  "organizations:List*",<br>  "rds:Describe*",<br>  "redshift:Describe*",<br>  "route53:List*",<br>  "s3:GetBucket*",<br>  "s3:List*",<br>  "secretsmanager:List*",<br>  "sns:Get*",<br>  "sns:List*",<br>  "sqs:Get*",<br>  "sqs:List*",<br>  "synthetics:Describe*",<br>  "synthetics:List*"<br>]</pre> | no |
 | <a name="input_eventbridge_name_prefix"></a> [eventbridge\_name\_prefix](#input\_eventbridge\_name\_prefix) | Prefix used for EventBridge Rule | `string` | `"observe-lambda-snapshot-"` | no |
 | <a name="input_eventbridge_schedule_event_bus_name"></a> [eventbridge\_schedule\_event\_bus\_name](#input\_eventbridge\_schedule\_event\_bus\_name) | Event Bus for EventBridge scheduled events | `string` | `"default"` | no |
 | <a name="input_eventbridge_schedule_expression"></a> [eventbridge\_schedule\_expression](#input\_eventbridge\_schedule\_expression) | Rate at which snapshot is triggered. Must be valid EventBridge expression | `string` | `"rate(3 hours)"` | no |

diff --git a/modules/snapshot/variables.tf b/modules/snapshot/variables.tf
@@ -41,6 +41,7 @@ variable "action" {
   nullable    = false
   default = [
     "apigateway:Get*",
+    "apigatewayv2:Get*",
     "autoscaling:Describe*",
     "cloudformation:Describe*",
     "cloudformation:List*",
Original file line number	Diff line number	Diff line change
Expand Up		@@ -4,3 +4,5 @@ terraform.tfstate
		terraform.tfvars

		.terraform.lock.hcl

		.idea