aws-profile | Make AWS CLI profile switch easy | AWS library

After some research we were able to connect our lambda to our vpc using serverless. The solution was: Stop using serverless-vpc-plugin.

It turns out that serverless-vpc-plugin, automatically creates a AWS VPC, which is not what we were looking for. We already had our VPC created using terraform.

From serverless-vpc-plugin documentation

Automatically creates an AWS Virtual Private Cloud (VPC) using all available Availability Zones (AZ) in a region.

In other words, serverless-vpc-plugin doesn't make sense when the target vpc already exists

This is a known issue with Serverless, Serverless only checks ~/.aws/credentials for the profile and not ~/.aws/config.

There are multiple Serverless forum posts about this, e.g. this one.

Change your ~/.aws/credentials file to this and it should work:

IoTDataPlane does not have resource. You can only use client with the IoTDataPlane:

The error likely isn't occuring in your provisioner execution per se, because if you remove the provisioner block the error still occurs on apply--but confusingly only the first time after a destroy. Removing the data "aws_secretsmanager_secret_version" "rds-secret" block as well "resolves" the error completely.

I'm guessing there is some sort of config delay issue here...but adding a 20 second delay provisioner to the aws_secretsmanager_secret.rds-secret resource block didn't help. And the value from the data block can be successfully output on subsequent apply runs, so maybe it's not just timing.

Even if you resolve the above more basic issue, it's likely your provisioner will still be confusing things by modifying a resource that Terraform is trying to manage in the same run. I'm not sure there's a way to get around that except perhaps by splitting into two separate operations.

Update:

It turns out that on the first run the data sources are read before the aws_secretsmanager_secret_version resource is created. Just adding depends_on = [aws_secretsmanager_secret_version.rds-secret-version] to the data "aws_secretsmanager_secret_version" block resolves this fully and makes the interpolation for your provisioner work as well. I haven't tested the actual provisioner.

Also you may need to consider this (which I take to not always apply to 0.13):

NOTE: In Terraform 0.12 and earlier, due to the data resource behavior of deferring the read until the apply phase when depending on values that are not yet known, using depends_on with data resources will force the read to always be deferred to the apply phase, and therefore a configuration that uses depends_on with a data resource can never converge. Due to this behavior, we do not recommend using depends_on with data resources.

The .serverless folder is created by serverless to alocate the cloud formation files. You should not handle them manually (and the folder and it’s content should not be included in source control).

The serverless.yml is the source of truth for the deployment, so it should do the same if running with the same environments.

The AWS account/profile can be set using the AWS cli. Given all the devs use the same account or use accounts with the same level of permissions, each one of you should be able to run deploy/remove.

If you project uses a .env file or environmental variables, each member of the team has to include them in their environment.