lambda-multi-account-stack

This is an example stack configuration for the private preview of Terraform Stacks. Language constructs and features are subject to change given feedback received during this preview. Do not use Stacks for production workloads at this time.

An example Terraform Stack that provisions an AWS S3 bucket, an AWS Lambda function served from that bucket, and an AWS API Gateway to invoke that function at a URL, all across multiple AWS accounts.

This is the same system as in hashicorp/lambda-api-gateway-stack, but additionally demonstrates multiple deployments modeling environments, each one managed by its own AWS account.

We do not recommend using this example within production accounts. This example will incur [small] costs if provisioned. Please remember to destroy the infrastructure after using this example.

Usage

Prerequisites: You must have a Terraform Cloud account with access to the private preview of Terraform Stacks, a GitHub account, and an AWS account with Terraform Cloud configured as an OIDC identity provider. Details of all of this are found in the provided Stacks User Guide.

1. Configure AWS authentication by creating new IAM roles in the AWS web console (or with Terraform itself!) with proper permissions (S3, Lambda, and API Gateway) and a trust policies to allow the role to be assumed by Terraform Cloud (the OIDC identity provider). More details on this step can be found in the Stacks User Guide.
2. Fork this repository to your own GitHub account, such that you can edit this stack configuration for your purposes.
3. Edit your forked stack configuration and change deployments.tfdeploy.hcl to use the ARNs of the IAM roles you created, as well as an audience value(s) for OpenID Connect.
4. Create a new stack in Terraform Cloud and connect it to your forked configuration repository.
5. Provision away! Once applied, look at the invoke_url attribute for the aws_apigatewayv2_stage.lambda resource in the API Gateway component for a given deployment; add /hello?name=<Name> to get a warm greeting! (e.g. https://wbshl7x6wb.execute-api.us-east-1.amazonaws.com/serverless_lambda_stage/hello?name=Chris)