Skip to content

Terraform module for creating AWS Lambda jobs with appropriate log configurations.

License

Notifications You must be signed in to change notification settings

trussworks/terraform-aws-lambda

Creates a lambda function with associated role and policies, which will log to Cloudwatch Logs.

Creates the following resources:

  • Lambda function
  • IAM role with policy to allow logging to Cloudwatch Logs
  • Cloudwatch Logs group

Usage

module "my_lambda_function" {
  source                 = "trussworks/lambda/aws"
  name                   = "my_app"
  job_identifier         = "instance_alpha"
  runtime                = "go1.x"
  role_policy_arns_count = 1
  role_policy_arns       = [aws_iam_policy.my_app_lambda_policy.arn]
  s3_bucket              = "my_s3_bucket"
  s3_key                 = "my_app/1.0/my_app.zip"

  subnet_ids             = ["subnet-0123456789abcdef0"]
  security_group_ids     = ["sg-0123456789abcdef0"]

  source_types           = ["events"]
  source_arns            = [aws_cloudwatch_event_rule.trigger.arn]

  env_vars = {
    VARNAME = "value"
  }

  tags = {
    "Service" = "big_app"
  }

}

Requirements

Name Version
terraform >= 1.0
aws >= 3.0

Providers

Name Version
aws >= 3.0
null n/a

Modules

No modules.

Resources

Name Type
aws_cloudwatch_log_group.main resource
aws_iam_role.main resource
aws_iam_role_policy.main resource
aws_iam_role_policy_attachment.user_policy_attach resource
aws_lambda_function.main_from_gh resource
aws_lambda_function.main_from_s3 resource
aws_lambda_permission.allow_source_gh resource
aws_lambda_permission.allow_source_s3 resource
null_resource.get_github_release_artifact resource
null_resource.verify_policy_list_count resource
aws_caller_identity.current data source
aws_iam_policy_document.assume_role data source
aws_iam_policy_document.logs_policy_doc data source
aws_partition.current data source
aws_region.current data source

Inputs

Name Description Type Default Required
cloudwatch_encryption_key_arn The arn of the encryption key to be used for the cloudwatch logs string "" no
cloudwatch_logs_retention_days Number of days to retain logs in Cloudwatch Logs string 30 no
env_vars Map of environment variables for Lambda function map(any) {} no
ephemeral_storage Size in MB of Lambda function ephemeral storage allocation string 512 no
github_filename Name of the file to get when building url to pull. string "deployment.zip" no
github_project The unique Github project to pull from. Currently, this must be public. Eg. 'trussworks/aws-iam-sleuth' string "" no
github_release The release tag to download. string "" no
handler The entrypoint function for the lambda function. string "main.Main" no
job_identifier Identifier for specific instance of Lambda function string n/a yes
memory_size Size in MB of Lambda function memory allocation string 128 no
name Lambda function name string n/a yes
publish Whether to publish creation/change as new Lambda Function Version. bool false no
role_policy_arns List of policy ARNs to attach to Lambda role list(any) n/a yes
role_policy_arns_count Count of policy ARNs to attach to Lambda role string n/a yes
runtime Lambda runtime type string n/a yes
s3_bucket Name of s3 bucket used for Lambda build string "" no
s3_key Key for s3 object for Lambda function code string "" no
security_group_ids List of security group IDs for Lambda VPC config (leave empty if no VPC) list(any) [] no
source_arns List of arns for Lambda triggers; order must match source_types list(any) [] no
source_types List of sources for Lambda triggers; order must match source_arns list(any) [] no
subnet_ids List of subnet IDs for Lambda VPC config (leave empty if no VPC) list(any) [] no
tags Map of tags for Lambda function map(any) {} no
timeout Timeout in seconds for Lambda function timeout string 60 no
validation_sha SHA to validate the file. string "" no

Outputs

Name Description
function_name Name of the AWS Lambda function
invoke_arn ARN used to invoke Lambda function from API Gateway
lambda_arn ARN for the Lambda function