AWS Lambda Function
This page shows how to write Terraform and CloudFormation for Lambda Function and write them securely.
aws_lambda_function (Terraform)
The Function in Lambda can be configured in Terraform with the resource name aws_lambda_function
. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_lambda_function" "get_todos" {
function_name = "GetTodos"
filename = "lambdas/getTodos.zip"
handler = "getTodos.handler"
runtime = "nodejs10.x"
role = aws_iam_role.lambda_exec.arn
resource "aws_lambda_function" "poc_create_person_lambda" {
filename = "../lambdas/build/person_create/main.zip"
function_name = "poc_create_person_lambda"
role = aws_iam_role.poc_lambda_role.arn
handler = "main"
source_code_hash = filebase64sha256("../lambdas/build/person_create/main.zip")
resource "aws_lambda_function" "getStoreInfo" {
filename = ".\\deployment_packages\\getStoreInfo.zip"
function_name = "getStoreInfo"
role = aws_iam_role.crowdless_lambda_role.arn
handler = "index.js"
runtime = "nodejs12.x"
resource "aws_lambda_function" "simple_lambda" {
filename = "../src/simple/bundle.zip"
function_name = "ProlambSimple"
role = "arn:aws:iam::869128890907:role/iam_for_lambda"
handler = "main.handler"
source_code_hash = filebase64sha256("../src/simple/bundle.zip")
Parameters
-
arn
optional computed - string -
code_signing_config_arn
optional - string -
description
optional - string -
filename
optional - string -
function_name
required - string -
handler
optional - string -
id
optional computed - string -
image_uri
optional - string -
invoke_arn
optional computed - string -
kms_key_arn
optional - string -
last_modified
optional computed - string -
layers
optional - list of string -
memory_size
optional - number -
package_type
optional - string -
publish
optional - bool -
qualified_arn
optional computed - string -
reserved_concurrent_executions
optional - number -
role
required - string -
runtime
optional - string -
s3_bucket
optional - string -
s3_key
optional - string -
s3_object_version
optional - string -
signing_job_arn
optional computed - string -
signing_profile_version_arn
optional computed - string -
source_code_hash
optional computed - string -
source_code_size
optional computed - number -
tags
optional - map from string to string -
timeout
optional - number -
version
optional computed - string -
dead_letter_config
list block-
target_arn
required - string
-
-
environment
list block-
variables
optional - map from string to string
-
-
file_system_config
list block-
arn
required - string -
local_mount_path
required - string
-
-
image_config
list block-
command
optional - list of string -
entry_point
optional - list of string -
working_directory
optional - string
-
-
timeouts
single block-
create
optional - string
-
-
tracing_config
list block-
mode
required - string
-
-
vpc_config
list block-
security_group_ids
required - set of string -
subnet_ids
required - set of string -
vpc_id
optional computed - string
-
Explanation in Terraform Registry
Provides a Lambda Function resource. Lambda allows you to trigger execution of code in response to events in AWS, enabling serverless backend solutions. The Lambda Function itself includes source code and runtime configuration. For information about Lambda and how to use it, see [What is AWS Lambda?][1] For a detailed example of setting up Lambda and API Gateway, see [Serverless Applications with AWS Lambda and API Gateway.][11]
NOTE: Due to AWS Lambda improved VPC networking changes that began deploying in September 2019, EC2 subnets and security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. Terraform AWS Provider version 2.31.0 and later automatically handles this increased timeout, however prior versions require setting the customizable deletion timeouts of those Terraform resources to 45 minutes (
delete = "45m"
). AWS and HashiCorp are working together to reduce the amount of time required for resource deletion and updates can be tracked in this GitHub issue. -> To give an external source (like a CloudWatch Event Rule, SNS, or S3) permission to access the Lambda function, use theaws_lambda_permission
resource. See [Lambda Permission Model][4] for more details. On the other hand, therole
argument of this resource is the function's execution role for identity and access to AWS services and resources.
Tips: Best Practices for The Other AWS Lambda Resources
In addition to the aws_lambda_permission, AWS Lambda has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_lambda_permission
Ensure to limit your Lambda function permission as much as possible
It is better for limiting the Lambda function permission to set `source_arn` if the ARN can be specified to grant permissions.
AWS::Lambda::Function (CloudFormation)
The Function in Lambda can be configured in CloudFormation with the resource name AWS::Lambda::Function
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::Lambda::Function
DependsOn:
- LambdaRole
- LambdaPolicy
- CreateClientFunctionExecutionPolicy
Properties:
Type: "AWS::Lambda::Function"
Properties:
Code:
ZipFile: |
def handler(event, context):
return True
Type: "AWS::Lambda::Function"
Properties:
Code:
ZipFile: |
def handler(event, context):
return True
Type: AWS::Lambda::Function
Properties:
Name: "getpdf"
Alias: "getpdfAlias"
CurrentVersion: "1"
TargetVersion: "2"
Type: 'AWS::Lambda::Function'
Properties:
KmsKeyArn: alias/aws/lambda
key_type: AWS_CLOUDHSM
expectations:
rules:
"Type": "AWS::Lambda::Function",
"Properties": {
"Handler": "org.naic.function.ApplicationFunctions::getApplicationsForUser",
"Role": "arn:aws:iam::572366721424:role/LambdaArticleBlueprint-devstack-GetArticleRole-CYZ8M81X7W35",
"Code": {
"S3Bucket": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Handler": "receiveorder.handler",
"Role": { "Fn::GetAtt" : ["LambdaExecutionRole", "Arn"] },
"Code": {
"S3Bucket": "[USE YOUR BUCKET HERE]",
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {"Ref": "BucketName"},
"S3Key":"lambda/start_stepf_lambda.zip"
},
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": "sam-demo-bucket",
"S3Key": "hello.zip"
},
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {"Ref":"Bucket"},
"S3Key":"deploy/src/emails.zip"
},
Parameters
-
Code
required - Code -
DeadLetterConfig
optional - DeadLetterConfig -
Description
optional - String -
Environment
optional - Environment -
FileSystemConfigs
optional - List of FileSystemConfig -
FunctionName
optional - String -
Handler
optional - String -
Architectures
optional - List -
KmsKeyArn
optional - String -
Layers
optional - List -
MemorySize
optional - Integer -
ReservedConcurrentExecutions
optional - Integer -
Role
required - String -
Runtime
optional - String -
Tags
optional - List of Tag -
Timeout
optional - Integer -
TracingConfig
optional - TracingConfig -
VpcConfig
optional - VpcConfig -
CodeSigningConfigArn
optional - String -
ImageConfig
optional - ImageConfig -
PackageType
optional - String
Explanation in CloudFormation Registry
The
AWS::Lambda::Function
resource creates a Lambda function. To create a function, you need a deployment package and an execution role. The deployment package is a .zip file archive or container image that contains your function code. The execution role grants the function permission to use AWS services, such as Amazon CloudWatch Logs for log streaming and AWS X-Ray for request tracing.
You set the package type to
Image
if the deployment package is a container image. For a container image, the code property must include the URI of a container image in the Amazon ECR registry. You do not need to specify the handler and runtime properties. You set the package type toZip
if the deployment package is a [.zip file archive](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-package.html#gettingstarted-package-zip). For a .
zip file archive, the code property specifies the location of the .
zip file. You must also specify the handler and runtime properties. For a Python example, see [ Deploy Python Lambda functions with .
zip file archives](https://docs.aws.amazon.com/lambda/latest/dg/python-package.html).
You can use code signing if your deployment package is a .
zip file archive. To enable code signing for this function, specify the ARN of a code-signing configuration. When a user attempts to deploy a code package with
UpdateFunctionCode
, Lambda checks that the code package has a valid signature from a trusted publisher. The code-signing configuration includes a set of signing profiles, which define the trusted publishers for this function.Note that you configure provisioned concurrency on a
AWS::Lambda::Version
or aAWS::Lambda::Alias
.For a complete introduction to Lambda functions, see What is Lambda? in the *Lambda developer guide.
Frequently asked questions
What is AWS Lambda Function?
AWS Lambda Function is a resource for Lambda of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Lambda Function?
For Terraform, the fraoucene/serverless-react-app, jjoc007/poc-crud-dynamo-golang-terraform and sayan83/Crowdless source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the victorsalaun/skillbrowser-aws-serverless, awslabs/serverless-subtitles and roy-so-chae/test1 source code examples are useful. See the CloudFormation Example section for further details.