Skip to content

Latest commit

 

History

History
260 lines (218 loc) · 19.4 KB

README.md

File metadata and controls

260 lines (218 loc) · 19.4 KB

AWS Lambda Terraform module

nuvibit logo

Maintained by nuvibit.com Terraform Version Latest Release

Terraform module to deploy Lambda resources on AWS

Architecture

lambda architecture

Features

  • Creates a Lambda Function
  • Creates IAM Execution Role for Lambda and attaches internal and provided policies
  • Optionally provide external IAM Execution Role ARN and skip creating new Execution Role
  • Creates a CloudWatch Log Group for Lambda logs
  • Optionally creates a SQS for triggering the Lambda
  • Optionally creates a CloudWatch Event Rule (for scheduling)

Usage

Lambda Function with local package and enabled tracing

module "lambda" {
  source  = "nuvibit/lambda/aws"
  version = "~> 1.0"

  function_name      = "my_lambda"
  description        = "my lambda function"
  handler            = "main.lambda_handler"
  runtime            = "python3.9"
  local_package_path = "../my_lambda.zip"
  tracing_mode         = "Active"
}

Lambda Function with encrypted SQS trigger and encrypted lambda logs

module "lambda" {
  source  = "nuvibit/lambda/aws"
  version = "~> 1.0"

  function_name      = "my_lambda"
  description        = "my lambda function"
  handler            = "main.lambda_handler"
  runtime            = "python3.9"
  local_package_path = "../my_lambda.zip"

  enable_encryption    = true
  kms_key_arn          = aws_kms_key.example.arn

  trigger_sqs_enabled = true
}

If you want to enable encryption you have to set enable_encryption to true and provide a kms_key_arn.

Lambda Function in VPC

module "lambda_vpc" {
  source  = "nuvibit/lambda/aws"
  version = "~> 1.0"

  function_name          = "my_lambda_vpc"
  description            = "my lambda function in vpc"
  handler                = "main.lambda_handler"
  runtime                = "python3.9"
  local_package_path     = "../my_lambda.zip"
  vpc_subnet_ids         = ["subnet-b46032ec", "subnet-a46032fc"]
  vpc_security_group_ids = ["sg-51530134"]

  resource_tags = {
    CostCenter = "project-1"
  }
}

Lambda Function with external IAM execute policy

data "aws_iam_role" "lambda" {
  name = "my_lambda_execute_role"
}

module "lambda_vpc" {
  source  = "nuvibit/lambda/aws"
  version = "~> 1.0"

  create_execution_role            = false
  iam_execution_role_external_name = data.aws_iam_role.lambda.name
  function_name                    = "my_lambda_vpc"
  description                      = "my lambda function in vpc"
  handler                          = "main.lambda_handler"
  runtime                          = "python3.9"
  local_package_path               = "../my_lambda.zip"

  resource_tags = {
    CostCenter = "project-1"
  }
}

Examples

Requirements

Name Version
terraform >= 0.15.0
archive >= 2.0.0
aws >= 3.15

Providers

Name Version
archive >= 2.0.0
aws >= 3.15

Modules

Name Source Version
execution_role ./modules/execution-role n/a

Resources

Name Type
aws_cloudwatch_event_rule.pattern resource
aws_cloudwatch_event_rule.schedule resource
aws_cloudwatch_event_target.pattern resource
aws_cloudwatch_event_target.schedule resource
aws_cloudwatch_log_group.lambda_logs resource
aws_lambda_event_source_mapping.lambda_trigger resource
aws_lambda_function.this resource
aws_lambda_permission.allowed_triggers resource
aws_lambda_permission.pattern resource
aws_lambda_permission.schedule resource
aws_sns_topic_subscription.lambda_trigger resource
aws_sqs_queue.lambda_trigger resource
aws_sqs_queue_policy.lambda_trigger resource
archive_file.lambda_package data source
aws_caller_identity.current data source
aws_iam_policy_document.lambda_trigger data source
aws_region.current data source

Inputs

Name Description Type Default Required
function_name Unique name for your Lambda Function. string n/a yes
runtime Identifier of the function's runtime. See Runtimes for valid values. string n/a yes
architecture Instruction set architecture for your Lambda function. Valid values are 'x86_64' and 'arm64'. string "x86_64" no
create_execution_role Controls if IAM execution role should be created. If set to false an iam execute role ARN for 'iam_execution_role_external_arn' needs to be provided. bool true no
description Description of what your Lambda Function does. string "" no
enable_encryption This variable is a required workaround to avoid issues with terraform plan when the external provided kms_key_arn is not known at plan.
Set to true to enable encryption of logs and sqs messages. Requires kms_key_arn to be set.
bool false no
environment_variables Map of environment variables that are accessible from the function code during execution. map(string) {} no
event_patterns A List of event patterns described as JSON objects. list(string) [] no
file_system_config_arn Amazon Resource Name (ARN) of the Amazon EFS Access Point that provides access to the file system. string null no
file_system_config_local_mount_path Path where the function can access the file system, starting with /mnt/. string null no
handler Function entrypoint in your code. string null no
iam_execution_policy_arns List of optional additional execution policy statement ARNs outside this module to attach to IAM Lambda execution role. list(string) [] no
iam_execution_role_external_name Name of an optional external IAM execution role outside this module. If create_execution_role is false, this value is required. string "" no
iam_execution_role_name Friendly name of the lambda execution role. If omitted, will be generated with function name. string null no
iam_execution_role_path Path of the IAM role. string null no
iam_execution_role_permissions_boundary_arn ARN of the policy that is used to set the permissions boundary for the role. string null no
kms_key_arn KMS key ARN to be used to encrypt logs and sqs messages. requires enable_encryption to be true. string null no
layers List of Lambda Layer Version ARNs (maximum of 5) to attach to your Lambda Function. list(string) null no
local_package_path Will be deprecated. Path to the function's deployment package within the local filesystem. string null no
log_retention_in_days Specifies the number of days you want to retain log events in the specified log group. number null no
memory_size Amount of memory in MB your Lambda Function can use at runtime. number 128 no
package_source_path Path to the function's code to create the deployment package. string null no
package_type Lambda deployment package type. string "Zip" no
publish Whether to publish creation/change as new Lambda Function Version. bool false no
reserved_concurrent_executions Amount of reserved concurrent executions for this lambda function.
A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations.
number -1 no
resource_name_suffix Alphanumeric suffix for all the resource names in this module. string "" no
resource_tags A map of tags to assign to the resources in this module. map(string) {} no
schedule_expression The scheduling expression. For example, cron(0 20 * * ? *) or rate(5 minutes). string null no
timeout Amount of time your Lambda Function has to run in seconds. number 3 no
tracing_mode Whether to to sample and trace a subset of incoming requests with AWS X-Ray.
Valid values are PassThrough and Active.
If PassThrough, Lambda will only trace the request from an upstream service if it contains a tracing header with "sampled=1".
If Active, Lambda will respect any tracing header it receives from an upstream service.
If no tracing header is received, Lambda will call X-Ray for a tracing decision.
string null no
trigger_permissions Tuple of principals to grant lambda-trigger permission.
list(object(
{
principal = string # The principal who is getting trigger permission. e.g. s3.amazonaws.com, any valid AWS service principal or an AWS account ID.
source_arn = string # The ARN of the specific resource within that service to grant permission to. Set to 'any' to grant permission to any resource in principal.
}
))
[] no
trigger_sqs_access_policy_sources_json In case you have custom sources feeding the optional Trigger-SQS, you have to provide the SQS Access Policies here. list(string) null no
trigger_sqs_enabled Specifies, if a SQS for triggering the Lambda will be created. bool false no
trigger_sqs_inbound_sns_topics Only provide, if var.trigger_sqs_enabled = true. List of SNS ARNs the Trigger-SQS will be subscribed to.
list(object(
{
sns_arn = string # The ARN of the SNS topic that will trigger the Lambda via the created SQS.
filter_policy_json = string # Policy for filtering the stream to the SQS subscription to specific SNS items.
}
))
[] no
vpc_security_group_ids List of security group IDs associated with the Lambda function. list(string) [] no
vpc_subnet_ids List of subnet IDs associated with the Lambda function. list(string) [] no

Outputs

Name Description
lambda_arn Amazon Resource Name (ARN) identifying your Lambda Function.
lambda_cloudwatch_log_group_arn The Amazon Resource Name (ARN) specifying the lambda log group.
lambda_execution_role_arn Amazon Resource Name (ARN) specifying the lambda execution role.
lambda_execution_role_id Name of the lambda execution role.
lambda_execution_role_name Name of the lambda execution role.
lambda_execution_role_unique_id Stable and unique string identifying the lambda execution role.
lambda_invoke_arn ARN to be used for invoking Lambda Function from API Gateway - to be used in aws_api_gateway_integration's uri.
lambda_name Unique name identifying your Lambda Function.
lambda_pattern_cloudwatch_event_rule_arns The Amazon Resource Name (ARN) of the lambda pattern rule.
lambda_pattern_cloudwatch_event_rule_ids The name of the lambda pattern rule.
lambda_qualified_arn ARN identifying your Lambda Function Version (if versioning is enabled via publish = true).
lambda_schedule_cloudwatch_event_rule_arn The Amazon Resource Name (ARN) of the lambda scheduling rule.
lambda_schedule_cloudwatch_event_rule_id The name of the lambda scheduling rule.
lambda_version Latest published version of your Lambda Function.
trigger_sqs_arn ARN of the optional Trigger-SQS.
trigger_sqs_id ID of the optional Trigger-SQS.
trigger_sqs_name Name of the optional Trigger-SQS.

Authors

This module is maintained by Nuvibit with help from these amazing contributors

License

This module is licensed under Apache 2.0
See LICENSE for full details



Copyright © 2021 Nuvibit AG