terraform-aws-mcaf-lambda

Terraform module to create an AWS Lambda function.

Tip

We do not pin modules to versions in our examples. We highly recommend that in your code you pin the version to the exact version you are using so that your infrastructure remains stable.

Important

Exactly one of var.filename, var.image_config.uri, or var.s3_bucket must be specified when using the module.

Requirements

Name	Version
terraform	>= 1.3.0
archive	>= 2.0.0
aws	>= 4.9.0

Providers

Name	Version
archive	>= 2.0.0
aws	>= 4.9.0

Modules

Name	Source	Version
lambda_role	schubergphilis/mcaf-role/aws	~> 0.4.0

Resources

Name	Type
aws_cloudwatch_log_group.default	resource
aws_lambda_function.default	resource
aws_lambda_function_event_invoke_config.default	resource
aws_s3_object.s3_dummy	resource
aws_security_group.default	resource
aws_vpc_security_group_egress_rule.default	resource
archive_file.dummy	data source
aws_subnet.selected	data source

Inputs

Name	Description	Type	Default	Required
name	The name of the lambda	string	n/a	yes
architecture	Instruction set architecture of the Lambda function	string	"x86_64"	no
cloudwatch_logs	Whether or not to configure a CloudWatch log group	bool	true	no
code_signing_config_arn	ARN for a Code Signing Configuration	string	null	no
create_s3_dummy_object	Whether or not to create a S3 dummy object	bool	true	no
dead_letter_target_arn	The ARN of an SNS topic or SQS queue to notify when an invocation fails	string	null	no
description	A description of the lambda	string	""	no
destination_on_failure	ARN of the destination resource for failed asynchronous invocations	string	null	no
destination_on_success	ARN of the destination resource for successful asynchronous invocations	string	null	no
environment	A map of environment variables to assign to the lambda	map(string)	null	no
ephemeral_storage_size	The size of the Lambda function Ephemeral storage	number	null	no
execution_role	Configuration for lambda execution IAM role	object({ additional_policy_arns = optional(set(string), []) name_prefix = optional(string) path = optional(string, "/") permissions_boundary = optional(string) policy = optional(string) })	{}	no
execution_role_custom	Optional existing IAM role for Lambda execution. Overrides the role configured in the execution_role variable.	object({ arn = string })	null	no
filename	The path to the function's deployment package within the local filesystem	string	null	no
handler	The function entrypoint in your code	string	"main.handler"	no
image_config	Container image configuration values. The ECR image URI must be a private ECR URI.	object({ command = optional(list(string), []) entry_point = optional(list(string), []) uri = optional(string) working_directory = optional(string) })	null	no
kms_key_arn	The ARN of the KMS key used to encrypt the cloudwatch log group and environment variables	string	null	no
layers	List of Lambda layer ARNs to be used by the Lambda function	list(string)	[]	no
log_retention	Number of days to retain log events in the specified log group	number	365	no
memory_size	The memory size of the lambda	number	null	no
package_type	The Lambda deployment package type.	string	"Zip"	no
publish	Whether to publish creation/change as new lambda function version	bool	false	no
reserved_concurrency	The amount of reserved concurrent executions for this lambda function	number	null	no
retries	Maximum number of retries for the Lambda invocation	number	null	no
runtime	The function runtime to use	string	"python3.13"	no
s3_bucket	The S3 bucket location containing the function's deployment package	string	null	no
s3_key	The S3 key of an object containing the function's deployment package	string	null	no
s3_object_version	The object version containing the function's deployment package	string	null	no
security_group_egress_rules	Security Group egress rules	list(object({ cidr_ipv4 = optional(string) cidr_ipv6 = optional(string) description = string from_port = optional(number, 0) ip_protocol = optional(string, "-1") prefix_list_id = optional(string) referenced_security_group_id = optional(string) to_port = optional(number, 0) }))	[]	no
security_group_ids	The security group(s) for running the Lambda within the VPC. If not specified a minimal default SG will be created	list(string)	[]	no
security_group_name_prefix	An optional prefix to create a unique name of the security group. If not provided var.name will be used	string	null	no
source_code_hash	Optional source code hash	string	null	no
subnet_ids	The subnet ids where this lambda needs to run	list(string)	null	no
tags	A mapping of tags to assign to the bucket	map(string)	{}	no
timeout	The timeout of the lambda	number	5	no
tracing_config_mode	The lambda's AWS X-Ray tracing configuration	string	null	no

Outputs

Name	Description
arn	ARN of the Lambda
invoke_arn	Invoke ARN of the Lambda
name	Function name of the Lambda
qualified_arn	Qualified ARN of the Lambda
role_arn	ARN of the lambda execution role
role_name	Name of the lambda execution role
security_group_id	If the Lambda is deployed into a VPC this will output the genetered security group id (if no security groups are specified)
version	Latest published version of the Lambda function

Licensing

100% Open Source and licensed under the Apache License Version 2.0. See LICENSE for full details.