Top / Amazon Web Service / AWS Lambda / Function

AWS Lambda Function

This page shows how to write Terraform and CloudFormation for Lambda Function and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_lambda_function (Terraform)

The Function in Lambda can be configured in Terraform with the resource name aws_lambda_function. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub

06-lambda.tf#L9
resource "aws_lambda_function" "get_todos" {
  function_name = "GetTodos"
  filename      = "lambdas/getTodos.zip"
  handler       = "getTodos.handler"
  runtime       = "nodejs10.x"
  role          = aws_iam_role.lambda_exec.arn
poc_lambda.tf#L1
resource "aws_lambda_function" "poc_create_person_lambda" {
  filename      =  "../lambdas/build/person_create/main.zip"
  function_name = "poc_create_person_lambda"
  role          = aws_iam_role.poc_lambda_role.arn
  handler       = "main"
  source_code_hash = filebase64sha256("../lambdas/build/person_create/main.zip")
resources.tf#L1
resource "aws_lambda_function" "getStoreInfo" {
  filename      = ".\\deployment_packages\\getStoreInfo.zip"
  function_name = "getStoreInfo"
  role          = aws_iam_role.crowdless_lambda_role.arn
  handler       = "index.js"
  runtime = "nodejs12.x"
test.tf#L14
resource "aws_lambda_function" "simple_lambda" {
  filename      = "../src/simple/bundle.zip"
  function_name = "ProlambSimple"
  role          = "arn:aws:iam::869128890907:role/iam_for_lambda"
  handler       = "main.handler"
  source_code_hash = filebase64sha256("../src/simple/bundle.zip")

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Provides a Lambda Function resource. Lambda allows you to trigger execution of code in response to events in AWS, enabling serverless backend solutions. The Lambda Function itself includes source code and runtime configuration. For information about Lambda and how to use it, see [What is AWS Lambda?][1] For a detailed example of setting up Lambda and API Gateway, see [Serverless Applications with AWS Lambda and API Gateway.][11]

NOTE: Due to AWS Lambda improved VPC networking changes that began deploying in September 2019, EC2 subnets and security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. Terraform AWS Provider version 2.31.0 and later automatically handles this increased timeout, however prior versions require setting the customizable deletion timeouts of those Terraform resources to 45 minutes (delete = "45m"). AWS and HashiCorp are working together to reduce the amount of time required for resource deletion and updates can be tracked in this GitHub issue. -> To give an external source (like a CloudWatch Event Rule, SNS, or S3) permission to access the Lambda function, use the aws_lambda_permission resource. See [Lambda Permission Model][4] for more details. On the other hand, the role argument of this resource is the function's execution role for identity and access to AWS services and resources.

>> from Terraform Registry

Tips: Best Practices for The Other AWS Lambda Resources

In addition to the aws_lambda_permission, AWS Lambda has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_lambda_permission

Ensure to limit your Lambda function permission as much as possible

It is better for limiting the Lambda function permission to set `source_arn` if the ARN can be specified to grant permissions.

Review your AWS Lambda settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::Lambda::Function (CloudFormation)

The Function in Lambda can be configured in CloudFormation with the resource name AWS::Lambda::Function. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

skillbrowser-lambda.yml#L88
    Type: AWS::Lambda::Function
    DependsOn:
    - LambdaRole
    - LambdaPolicy
    - CreateClientFunctionExecutionPolicy
    Properties:
compute.yml#L8
    Type: "AWS::Lambda::Function"
    Properties:
      Code:
        ZipFile: |
          def handler(event, context):
            return True
compute.yml#L8
    Type: "AWS::Lambda::Function"
    Properties:
      Code:
        ZipFile: |
          def handler(event, context):
            return True
appspec.yml#L4
      Type: AWS::Lambda::Function
      Properties:
        Name: "getpdf"
        Alias: "getpdfAlias"
        CurrentVersion: "1"
        TargetVersion: "2"
dl-lambda-encryption-unit-test.yml#L19
        Type: 'AWS::Lambda::Function'
        Properties:
          KmsKeyArn: alias/aws/lambda
          key_type: AWS_CLOUDHSM
  expectations:
    rules:
lambdas.json#L5
      "Type": "AWS::Lambda::Function",
      "Properties": {
        "Handler": "org.naic.function.ApplicationFunctions::getApplicationsForUser",
        "Role": "arn:aws:iam::572366721424:role/LambdaArticleBlueprint-devstack-GetArticleRole-CYZ8M81X7W35",
        "Code": {
          "S3Bucket": {
lambda-functions-CloudFormation.json#L42
      "Type": "AWS::Lambda::Function",
      "Properties": {
        "Handler": "receiveorder.handler",
        "Role": { "Fn::GetAtt" : ["LambdaExecutionRole", "Arn"] },
        "Code": {
          "S3Bucket": "[USE YOUR BUCKET HERE]",
bulkmonitor-lambdas.json#L32
      "Type": "AWS::Lambda::Function",
      "Properties": {
        "Code": {
          "S3Bucket": {"Ref": "BucketName"},
          "S3Key":"lambda/start_stepf_lambda.zip"
        },
basic_function.json#L29
      "Type": "AWS::Lambda::Function",
      "Properties": {
        "Code": {
          "S3Bucket": "sam-demo-bucket",
          "S3Key": "hello.zip"
        },
lambdas.json#L11
      "Type": "AWS::Lambda::Function",
      "Properties": {
        "Code": {
          "S3Bucket": {"Ref":"Bucket"},
          "S3Key":"deploy/src/emails.zip"
        },

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

The AWS::Lambda::Function resource creates a Lambda function. To create a function, you need a deployment package and an execution role. The deployment package is a .

zip file archive or container image that contains your function code. The execution role grants the function permission to use AWS services, such as Amazon CloudWatch Logs for log streaming and AWS X-Ray for request tracing.

You set the package type to Image if the deployment package is a container image. For a container image, the code property must include the URI of a container image in the Amazon ECR registry. You do not need to specify the handler and runtime properties. You set the package type to Zip if the deployment package is a [.

zip file archive](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-package.html#gettingstarted-package-zip). For a .

zip file archive, the code property specifies the location of the .

zip file. You must also specify the handler and runtime properties. For a Python example, see [ Deploy Python Lambda functions with .

zip file archives](https://docs.aws.amazon.com/lambda/latest/dg/python-package.html).

You can use code signing if your deployment package is a .

zip file archive. To enable code signing for this function, specify the ARN of a code-signing configuration. When a user attempts to deploy a code package with UpdateFunctionCode, Lambda checks that the code package has a valid signature from a trusted publisher. The code-signing configuration includes a set of signing profiles, which define the trusted publishers for this function.

Note that you configure provisioned concurrency on a AWS::Lambda::Version or a AWS::Lambda::Alias.

For a complete introduction to Lambda functions, see What is Lambda? in the *Lambda developer guide.

>> from AWS CloudFormation Documentation

The Other Related AWS Lambda Resources

Frequently asked questions

What is AWS Lambda Function?

AWS Lambda Function is a resource for Lambda of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Lambda Function?

For Terraform, the fraoucene/serverless-react-app, jjoc007/poc-crud-dynamo-golang-terraform and sayan83/Crowdless source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the victorsalaun/skillbrowser-aws-serverless, awslabs/serverless-subtitles and roy-so-chae/test1 source code examples are useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents