Terraform module to deploy Lambda resources on AWS
- Creates a Lambda Function
- Creates IAM Execution Role for Lambda and attaches internal and provided policies
- Optionally provide external IAM Execution Role ARN and skip creating new Execution Role
- Creates a CloudWatch Log Group for Lambda logs
- Optionally creates a SQS for triggering the Lambda
- Optionally creates a CloudWatch Event Rule (for scheduling)
module "lambda" {
source = "nuvibit/lambda/aws"
version = "~> 1.0"
function_name = "my_lambda"
description = "my lambda function"
handler = "main.lambda_handler"
runtime = "python3.9"
local_package_path = "../my_lambda.zip"
tracing_mode = "Active"
}
module "lambda" {
source = "nuvibit/lambda/aws"
version = "~> 1.0"
function_name = "my_lambda"
description = "my lambda function"
handler = "main.lambda_handler"
runtime = "python3.9"
local_package_path = "../my_lambda.zip"
enable_encryption = true
kms_key_arn = aws_kms_key.example.arn
trigger_sqs_enabled = true
}
If you want to enable encryption you have to set enable_encryption to true and provide a kms_key_arn.
module "lambda_vpc" {
source = "nuvibit/lambda/aws"
version = "~> 1.0"
function_name = "my_lambda_vpc"
description = "my lambda function in vpc"
handler = "main.lambda_handler"
runtime = "python3.9"
local_package_path = "../my_lambda.zip"
vpc_subnet_ids = ["subnet-b46032ec", "subnet-a46032fc"]
vpc_security_group_ids = ["sg-51530134"]
resource_tags = {
CostCenter = "project-1"
}
}data "aws_iam_role" "lambda" {
name = "my_lambda_execute_role"
}
module "lambda_vpc" {
source = "nuvibit/lambda/aws"
version = "~> 1.0"
create_execution_role = false
iam_execution_role_external_name = data.aws_iam_role.lambda.name
function_name = "my_lambda_vpc"
description = "my lambda function in vpc"
handler = "main.lambda_handler"
runtime = "python3.9"
local_package_path = "../my_lambda.zip"
resource_tags = {
CostCenter = "project-1"
}
}| Name | Version |
|---|---|
| terraform | >= 0.15.0 |
| archive | >= 2.0.0 |
| aws | >= 3.15 |
| Name | Version |
|---|---|
| archive | >= 2.0.0 |
| aws | >= 3.15 |
| Name | Source | Version |
|---|---|---|
| execution_role | ./modules/execution-role | n/a |
| Name | Type |
|---|---|
| aws_cloudwatch_event_rule.pattern | resource |
| aws_cloudwatch_event_rule.schedule | resource |
| aws_cloudwatch_event_target.pattern | resource |
| aws_cloudwatch_event_target.schedule | resource |
| aws_cloudwatch_log_group.lambda_logs | resource |
| aws_lambda_event_source_mapping.lambda_trigger | resource |
| aws_lambda_function.this | resource |
| aws_lambda_permission.allowed_triggers | resource |
| aws_lambda_permission.pattern | resource |
| aws_lambda_permission.schedule | resource |
| aws_sns_topic_subscription.lambda_trigger | resource |
| aws_sqs_queue.lambda_trigger | resource |
| aws_sqs_queue_policy.lambda_trigger | resource |
| archive_file.lambda_package | data source |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.lambda_trigger | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| function_name | Unique name for your Lambda Function. | string |
n/a | yes |
| runtime | Identifier of the function's runtime. See Runtimes for valid values. | string |
n/a | yes |
| architecture | Instruction set architecture for your Lambda function. Valid values are 'x86_64' and 'arm64'. | string |
"x86_64" |
no |
| create_execution_role | Controls if IAM execution role should be created. If set to false an iam execute role ARN for 'iam_execution_role_external_arn' needs to be provided. | bool |
true |
no |
| description | Description of what your Lambda Function does. | string |
"" |
no |
| enable_encryption | This variable is a required workaround to avoid issues with terraform plan when the external provided kms_key_arn is not known at plan. Set to true to enable encryption of logs and sqs messages. Requires kms_key_arn to be set. |
bool |
false |
no |
| environment_variables | Map of environment variables that are accessible from the function code during execution. | map(string) |
{} |
no |
| event_patterns | A List of event patterns described as JSON objects. | list(string) |
[] |
no |
| file_system_config_arn | Amazon Resource Name (ARN) of the Amazon EFS Access Point that provides access to the file system. | string |
null |
no |
| file_system_config_local_mount_path | Path where the function can access the file system, starting with /mnt/. | string |
null |
no |
| handler | Function entrypoint in your code. | string |
null |
no |
| iam_execution_policy_arns | List of optional additional execution policy statement ARNs outside this module to attach to IAM Lambda execution role. | list(string) |
[] |
no |
| iam_execution_role_external_name | Name of an optional external IAM execution role outside this module. If create_execution_role is false, this value is required. | string |
"" |
no |
| iam_execution_role_name | Friendly name of the lambda execution role. If omitted, will be generated with function name. | string |
null |
no |
| iam_execution_role_path | Path of the IAM role. | string |
null |
no |
| iam_execution_role_permissions_boundary_arn | ARN of the policy that is used to set the permissions boundary for the role. | string |
null |
no |
| kms_key_arn | KMS key ARN to be used to encrypt logs and sqs messages. requires enable_encryption to be true. | string |
null |
no |
| layers | List of Lambda Layer Version ARNs (maximum of 5) to attach to your Lambda Function. | list(string) |
null |
no |
| local_package_path | Will be deprecated. Path to the function's deployment package within the local filesystem. | string |
null |
no |
| log_retention_in_days | Specifies the number of days you want to retain log events in the specified log group. | number |
null |
no |
| memory_size | Amount of memory in MB your Lambda Function can use at runtime. | number |
128 |
no |
| package_source_path | Path to the function's code to create the deployment package. | string |
null |
no |
| package_type | Lambda deployment package type. | string |
"Zip" |
no |
| publish | Whether to publish creation/change as new Lambda Function Version. | bool |
false |
no |
| reserved_concurrent_executions | Amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. |
number |
-1 |
no |
| resource_name_suffix | Alphanumeric suffix for all the resource names in this module. | string |
"" |
no |
| resource_tags | A map of tags to assign to the resources in this module. | map(string) |
{} |
no |
| schedule_expression | The scheduling expression. For example, cron(0 20 * * ? *) or rate(5 minutes). | string |
null |
no |
| timeout | Amount of time your Lambda Function has to run in seconds. | number |
3 |
no |
| tracing_mode | Whether to to sample and trace a subset of incoming requests with AWS X-Ray. Valid values are PassThrough and Active. If PassThrough, Lambda will only trace the request from an upstream service if it contains a tracing header with "sampled=1". If Active, Lambda will respect any tracing header it receives from an upstream service. If no tracing header is received, Lambda will call X-Ray for a tracing decision. |
string |
null |
no |
| trigger_permissions | Tuple of principals to grant lambda-trigger permission. | list(object( |
[] |
no |
| trigger_sqs_access_policy_sources_json | In case you have custom sources feeding the optional Trigger-SQS, you have to provide the SQS Access Policies here. | list(string) |
null |
no |
| trigger_sqs_enabled | Specifies, if a SQS for triggering the Lambda will be created. | bool |
false |
no |
| trigger_sqs_inbound_sns_topics | Only provide, if var.trigger_sqs_enabled = true. List of SNS ARNs the Trigger-SQS will be subscribed to. | list(object( |
[] |
no |
| vpc_security_group_ids | List of security group IDs associated with the Lambda function. | list(string) |
[] |
no |
| vpc_subnet_ids | List of subnet IDs associated with the Lambda function. | list(string) |
[] |
no |
| Name | Description |
|---|---|
| lambda_arn | Amazon Resource Name (ARN) identifying your Lambda Function. |
| lambda_cloudwatch_log_group_arn | The Amazon Resource Name (ARN) specifying the lambda log group. |
| lambda_execution_role_arn | Amazon Resource Name (ARN) specifying the lambda execution role. |
| lambda_execution_role_id | Name of the lambda execution role. |
| lambda_execution_role_name | Name of the lambda execution role. |
| lambda_execution_role_unique_id | Stable and unique string identifying the lambda execution role. |
| lambda_invoke_arn | ARN to be used for invoking Lambda Function from API Gateway - to be used in aws_api_gateway_integration's uri. |
| lambda_name | Unique name identifying your Lambda Function. |
| lambda_pattern_cloudwatch_event_rule_arns | The Amazon Resource Name (ARN) of the lambda pattern rule. |
| lambda_pattern_cloudwatch_event_rule_ids | The name of the lambda pattern rule. |
| lambda_qualified_arn | ARN identifying your Lambda Function Version (if versioning is enabled via publish = true). |
| lambda_schedule_cloudwatch_event_rule_arn | The Amazon Resource Name (ARN) of the lambda scheduling rule. |
| lambda_schedule_cloudwatch_event_rule_id | The name of the lambda scheduling rule. |
| lambda_version | Latest published version of your Lambda Function. |
| trigger_sqs_arn | ARN of the optional Trigger-SQS. |
| trigger_sqs_id | ID of the optional Trigger-SQS. |
| trigger_sqs_name | Name of the optional Trigger-SQS. |
This module is maintained by Nuvibit with help from these amazing contributors
This module is licensed under Apache 2.0
See LICENSE for full details
Copyright © 2021 Nuvibit AG