AWS Lambda Function Terraform Module

terraform-aws-arc-lambda-function

Overview

The ARC Terraform module provides a comprehensive and unified solution for deploying AWS Lambda functions on AWS. This versatile module supports multiple deployment methods including local source code, S3-based deployments, and container images, allowing you to choose the deployment approach that best fits your application requirements and operational needs.

Prerequisites

Before using this module, ensure you have the following:

• AWS credentials configured.
• Terraform installed.
• A working knowledge of Terraform.

Getting Started

1. Define the Module

Initially, it's essential to define a Terraform module, which is organized as a distinct directory encompassing Terraform configuration files. Within this module directory, input variables and output values must be defined in the variables.tf and outputs.tf files, respectively. The following illustrates an example directory structure:

lambda-function/
|-- main.tf
|-- variables.tf
|-- outputs.tf

1. Define Input Variables

Inside the variables.tf or in *.tfvars file, you should define values for the variables that the module requires.

1. Use the Module in Your Main Configuration In your main Terraform configuration file (e.g., main.tf), you can use the module. Specify the source of the module, and version, For Example

module "lambda-function" {
  source                 = "sourcefuse/arc-lambda-function/aws"
  version                = "0.0.1"

  # Basic configuration
  function_name = var.function_name
  description   = "Basic Lambda function example"
  runtime       = "python3.11"
  handler       = "lambda_function.lambda_handler"
  memory_size   = 128
  timeout       = 10

  # Deployment package
  filename         = data.archive_file.lambda_zip.output_path
  source_code_hash = data.archive_file.lambda_zip.output_base64sha256

  # Environment variables
  environment_variables = {
    ENVIRONMENT = var.environment
    LOG_LEVEL   = var.log_level
  }

  # CloudWatch Logs
  create_log_group      = true
  log_retention_in_days = 7

 tags = module.tags.tags
}

1. Output Values

Inside the outputs.tf file of the module, you can define output values that can be referenced in the main configuration. For example:

output "arn" {
  description = "ARN of the Lambda function"
  value       = module.basic_lambda.lambda_function_arn
}

output "name" {
  description = "Name of the Lambda function"
  value       = module.basic_lambda.lambda_function_name
}

output "invoke_arn" {
  description = "Invoke ARN of the Lambda function"
  value       = module.basic_lambda.lambda_function_invoke_arn
}

output "role_arn" {
  description = "ARN of the Lambda execution role"
  value       = module.basic_lambda.lambda_role_arn
}

output "cloudwatch_log_group_name" {
  description = "Name of the CloudWatch log group"
  value       = module.basic_lambda.lambda_cloudwatch_log_group_name
}

1. .tfvars

Inside the .tfvars file of the module, you can provide desired values that can be referenced in the main configuration.

First Time Usage

uncomment the backend block in main.tf

terraform init -backend-config=config.dev.hcl

If testing locally, terraform init should be fine

Create a dev workspace

terraform workspace new dev

Plan Terraform

terraform plan -var-file dev.tfvars

Apply Terraform

terraform apply -var-file dev.tfvars

Production Setup

terraform init -backend-config=config.prod.hcl

Create a prod workspace

terraform workspace new prod

Plan Terraform

terraform plan -var-file prod.tfvars

Apply Terraform

terraform apply -var-file prod.tfvars  

Requirements

Name	Version
terraform	>= 1.3.0
archive	>= 2.0
aws	>= 5.0
null	~> 3.2

Providers

Name	Version
aws	6.8.0
null	3.2.4

Modules

No modules.

Resources

Name	Type
aws_cloudwatch_log_group.lambda	resource
aws_iam_role.lambda	resource
aws_iam_role_policy.lambda_execution	resource
aws_lambda_alias.this	resource
aws_lambda_function.this	resource
aws_lambda_function_url.this	resource
aws_lambda_permission.this	resource
aws_lambda_provisioned_concurrency_config.this	resource
aws_sqs_queue.dlq	resource
null_resource.validate_deployment_package	resource
null_resource.validate_package_compatibility	resource
aws_caller_identity.current	data source
aws_iam_policy_document.lambda_assume_role	data source
aws_iam_policy_document.lambda_execution	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
alias_description	Description of the alias	string	"Lambda function alias"	no
alias_function_version	Lambda function version for which you are creating the alias	string	null	no
alias_name	Name for the alias	string	"live"	no
alias_routing_config	The Lambda alias routing configuration	object({ additional_version_weights = map(number) })	null	no
architectures	Instruction set architecture for your Lambda function	list(string)	[ "x86_64" ]	no
attach_policy_statements	Whether to attach additional policy statements to the Lambda role	bool	false	no
code_signing_config_arn	ARN of code signing config	string	null	no
create_alias	Whether to create an alias for the Lambda function	bool	false	no
create_dlq	Whether to create a dead letter queue (SQS) for the Lambda function	bool	false	no
create_function_url	Whether to create a Lambda function URL	bool	false	no
create_log_group	Whether to create a CloudWatch log group for the Lambda function	bool	true	no
create_role	Whether to create an IAM role for the Lambda function	bool	true	no
dead_letter_config	Dead letter queue configuration	object({ target_arn = string })	null	no
description	Description of what your Lambda Function does	string	"Lambda function created by Terraform"	no
dlq_message_retention_seconds	The number of seconds Amazon SQS retains a message in the DLQ	number	1209600	no
dlq_name	Name of the dead letter queue (if create_dlq is true)	string	null	no
environment_variables	Map of environment variables that are accessible from the function code during execution	map(string)	{}	no
ephemeral_storage	Ephemeral storage size in MB (512-10240)	number	512	no
file_system_config	File system configuration for the Lambda function	object({ arn = string local_mount_path = string })	null	no
filename	Path to the function's deployment package within the local filesystem	string	null	no
function_name	Name of the Lambda function	string	n/a	yes
function_tags	A map of tags to assign specifically to the Lambda function	map(string)	{}	no
function_url_config	Lambda function URL configuration	object({ authorization_type = string cors = optional(object({ allow_credentials = optional(bool, false) allow_headers = optional(list(string), []) allow_methods = optional(list(string), []) allow_origins = optional(list(string), []) expose_headers = optional(list(string), []) max_age = optional(number, 0) })) invoke_mode = optional(string, "BUFFERED") })	{ "authorization_type": "AWS_IAM" }	no
handler	Function entrypoint in your code	string	"index.handler"	no
image_config	Configuration for Lambda when using container images	object({ command = list(string) entry_point = list(string) working_directory = string })	null	no
image_uri	ECR image URI containing the function's deployment package	string	null	no
kms_key_arn	Amazon Resource Name (ARN) of the AWS Key Management Service (KMS) key that's used to encrypt your function's environment variables	string	null	no
lambda_insights_enabled	Whether to enable Lambda Insights for the function	bool	false	no
lambda_insights_version	Version of the Lambda Insights layer	string	"1"	no
lambda_permissions	Map of Lambda permissions to create	map(object({ action = string principal = string source_arn = optional(string) source_account = optional(string) statement_id = optional(string) qualifier = optional(string) function_url_auth_type = optional(string) principal_org_id = optional(string) }))	{}	no
log_group_kms_key_id	The ARN of the KMS Key to use when encrypting log data	string	null	no
log_group_name	Name of the CloudWatch log group	string	null	no
log_retention_in_days	Specifies the number of days you want to retain log events in the specified log group	number	14	no
logging_config	Logging configuration for Lambda function	object({ log_format = string # e.g., "JSON" or "Text" log_group = string # e.g., "/aws/lambda/my-function" })	null	no
memory_size	Amount of memory in MB your Lambda Function can use at runtime	number	128	no
package_type	Lambda deployment package type (Zip or Image)	string	"Zip"	no
policy_statements	Map of policy statements to attach to the Lambda role	map(object({ effect = string actions = list(string) resources = list(string) conditions = optional(map(object({ test = string variable = string values = list(string) })), {}) }))	{}	no
provisioned_concurrency_config	Provisioned concurrency configuration	object({ provisioned_concurrent_executions = number qualifier = string })	null	no
publish	Whether to publish creation/change as new Lambda Function Version	bool	false	no
replace_security_groups_on_destroy	Whether to force replacement of security groups on destroy	bool	false	no
replacement_security_group_ids	List of replacement security group IDs to use	list(string)	[]	no
reserved_concurrent_executions	Amount of reserved concurrent executions for this lambda function	number	-1	no
role	IAM role ARN attached to the Lambda Function. If not provided, a role will be created	string	null	no
role_name	Name of the IAM role to create (if create_role is true)	string	null	no
role_path	Path of the IAM role	string	"/"	no
role_permissions_boundary	The ARN of the policy that is used to set the permissions boundary for the role	string	null	no
runtime	Runtime for the Lambda function (e.g., python3.9, nodejs18.x, java11, etc.)	string	"python3.9"	no
s3_bucket	S3 bucket location containing the function's deployment package	string	null	no
s3_key	S3 key of an object containing the function's deployment package	string	null	no
s3_object_version	Object version containing the function's deployment package	string	null	no
snap_start	SnapStart configuration for Lambda function	object({ apply_on = string # e.g., "PublishedVersions" })	null	no
source_code_hash	Used to trigger updates. Must be set to a base64-encoded SHA256 hash of the package file specified with either filename or s3_key	string	null	no
tags	A map of tags to assign to the resource	map(string)	{}	no
timeout	Amount of time your Lambda Function has to run in seconds	number	3	no
tracing_config	Tracing configuration for Lambda function	object({ mode = string # e.g., "Active" or "PassThrough" })	null	no
vpc_config	VPC configuration for the Lambda function	object({ subnet_ids = list(string) security_group_ids = list(string) })	null	no

Outputs

Name	Description
lambda_alias_arn	The Amazon Resource Name (ARN) identifying the Lambda function alias
lambda_alias_description	Description of the Lambda function alias
lambda_alias_function_version	Lambda function version which the alias uses
lambda_alias_invoke_arn	The ARN to be used for invoking Lambda Function alias from API Gateway
lambda_alias_name	The name of the Lambda function alias
lambda_cloudwatch_log_group_arn	The Amazon Resource Name (ARN) specifying the log group
lambda_cloudwatch_log_group_name	The name of the CloudWatch Log Group
lambda_dead_letter_queue_arn	The ARN of the SQS queue used as dead letter queue
lambda_dead_letter_queue_name	The name of the SQS queue used as dead letter queue
lambda_dead_letter_queue_url	The URL of the SQS queue used as dead letter queue
lambda_function_arn	The Amazon Resource Name (ARN) identifying your Lambda Function
lambda_function_environment_variables	The Lambda function environment variables
lambda_function_invoke_arn	The ARN to be used for invoking Lambda Function from API Gateway
lambda_function_kms_key_arn	The ARN of the KMS Key used to encrypt your Lambda Function's environment variables
lambda_function_last_modified	The date this resource was last modified
lambda_function_name	The name of the Lambda Function
lambda_function_qualified_arn	The Amazon Resource Name (ARN) identifying your Lambda Function Version
lambda_function_signing_job_arn	ARN of the signing job
lambda_function_signing_profile_version_arn	ARN of the signing profile version
lambda_function_source_code_hash	Base64-encoded representation of raw SHA-256 sum of the zip file
lambda_function_source_code_size	The size in bytes of the function .zip file
lambda_function_tags	The Lambda function tags
lambda_function_url	The HTTP URL endpoint for the Lambda function
lambda_function_url_id	The generated ID for the endpoint
lambda_function_version	Latest published version of your Lambda Function
lambda_function_vpc_config	The Lambda function VPC configuration
lambda_provisioned_concurrency_config_id	The ID of the provisioned concurrency configuration
lambda_role_arn	The Amazon Resource Name (ARN) specifying the Lambda IAM role
lambda_role_name	The name of the Lambda IAM role
lambda_role_unique_id	The stable and unique string identifying the Lambda IAM role

Versioning

This project uses a .version file at the root of the repo which the pipeline reads from and does a git tag.

When you intend to commit to main, you will need to increment this version. Once the project is merged, the pipeline will kick off and tag the latest git commit.

Development

Prerequisites

• terraform
• terraform-docs
• pre-commit
• golang
• golint

Configurations

• Configure pre-commit hooks

  pre-commit install
  

Versioning

while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch

For Example

git commit -m "your commit message #major"

By specifying this , it will bump the version and if you don't specify this in your commit message then by default it will consider patch and will bump that accordingly

Tests

• Tests are available in test directory
• Configure the dependencies

  cd test/
  go mod init github.com/sourcefuse/terraform-aws-refarch-<module_name>
  go get github.com/gruntwork-io/terratest/modules/terraform
  

• Now execute the test
  

  go test -timeout  30m
  

Authors

This project is authored by: - SourceFuse ARC Team