module "lambda" {
source = "git@github.com:oozou/terraform-aws-lambda.git?ref=v1.1.0"
prefix = "oozou"
environment = "dev"
name = "demo"
is_edge = true # Defautl is `fault`, If you want to publish to the edge don't forget to override aws's provider to virgina
# If is_edge is `false`, ignore this config
is_create_lambda_bucket = true # Default is `false`; plz use false, if not 1 lambda: 1 bucket
bucket_name = "" # If `is_create_lambda_bucket` is `false`; specified this, default is `""`
# Source code
source_code_dir = "./src"
file_globs = ["main.py"]
compressed_local_file_dir = "./outputs"
# Lambda Env
runtime = "python3.9"
handler = "main.lambda_handler"
# Lambda Specification
timeout = 3 # Default is `3` seconds
memory_size = 128 # Default is `128` MB, the more mem size increase, the performance is better
reserved_concurrent_executions = -1
# Optional to connect Lambda to VPC
vpc_config = {
security_group_ids = ["sg-028f637312eea735e"]
subnet_ids_to_associate = ["subnet-0b853f8c85796d72d", "subnet-07c068b4b51262793", "subnet-0362f68c559ef7716"]
}
dead_letter_target_arn = "arn:aws:sns:ap-southeast-1:557291035693:demo" # To send failed processing to target, Default is `""`
# IAM
is_create_lambda_role = true # Default is `true`
lambda_role_arn = "" # If `is_create_lambda_role` is `false`
# The policies that you want to attach to IAM Role created by only this module
additional_lambda_role_policy_arns = {
allow_lambda_to_read_s3 = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
}
# Resource policy
lambda_permission_configurations = {
lambda_on_my_account = {
pricipal = "apigateway.amazonaws.com"
source_arn = "arn:aws:execute-api:ap-southeast-1:557291035693:lk36vflbha/*/*/"
}
lambda_on_my_another_account_wrong = {
pricipal = "apigateway.amazonaws.com"
source_arn = "arn:aws:execute-api:ap-southeast-1:562563527952:q6pwa6wgr6/*/*/"
source_account = "557291035693" # Optional just to restrict the permission
}
lambda_on_my_another_account_correct = {
pricipal = "apigateway.amazonaws.com"
source_arn = "arn:aws:execute-api:ap-southeast-1:557291035693:wpj4t3scmb/*/*/"
}
}
# Logging
is_create_cloudwatch_log_group = true # Default is `true`
cloudwatch_log_retention_in_days = 30 # Default is `90`
# Env
ssm_params = {}
plaintext_params = {
region = "ap-southeast-1"
cluster_name = "oozou-dev-test-schedule-cluster"
nodegroup_name = "oozou-dev-test-schedule-custom-nodegroup"
min = 1,
max = 1,
desired = 1
}
tags = var.generics_info["custom_tags"]
}| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| archive | 2.2.0 |
| aws | >= 4.0.0 |
| Name | Version |
|---|---|
| archive | 2.2.0 |
| aws | 4.29.0 |
| Name | Source | Version |
|---|---|---|
| s3 | oozou/s3/aws | 1.1.2 |
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.this | resource |
| aws_iam_policy.ssm_policy | resource |
| aws_iam_role.this | resource |
| aws_iam_role_policy.logs_role_policy | resource |
| aws_iam_role_policy_attachment.ssm_policy_attachment | resource |
| aws_iam_role_policy_attachment.this | resource |
| aws_lambda_function.this | resource |
| aws_lambda_permission.allow_serivce | resource |
| aws_s3_object.this | resource |
| aws_ssm_parameter.params | resource |
| archive_file.this | data source |
| aws_iam_policy_document.assume_role_policy_doc | data source |
| aws_iam_policy_document.lambda_access_vpc | data source |
| aws_iam_policy_document.lambda_logs_policy_doc | data source |
| aws_iam_policy_document.lambda_policy | data source |
| aws_iam_policy_document.secret_access_policy_doc | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_lambda_role_policy_arns | Map of policies ARNs to attach to the lambda | map(string) |
{} |
no |
| bucket_name | Name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified. | string |
"" |
no |
| cloudwatch_log_kms_key_id | The ARN for the KMS encryption key. | string |
null |
no |
| cloudwatch_log_retention_in_days | Retention day for cloudwatch log group | number |
90 |
no |
| compressed_local_file_dir | A path to the directory to store plan time generated local files | string |
"" |
no |
| config_file_name | The name of the file var.plaintext_params will be written to as json | string |
"config.json" |
no |
| dead_letter_target_arn | Dead letter queue configuration that specifies the queue or topic where Lambda sends asynchronous events when they fail processing. | string |
null |
no |
| environment | Environment Variable used as a prefix | string |
n/a | yes |
| file_globs | list of files or globs that you want included from the source_code_dir | list(string) |
[] |
no |
| handler | Function entrypoint in your code. | string |
n/a | yes |
| is_create_cloudwatch_log_group | Whether to create cloudwatch log group or not | bool |
true |
no |
| is_create_lambda_bucket | Whether to create lambda bucket or not | bool |
false |
no |
| is_create_lambda_role | Whether to create lamda role or not | bool |
true |
no |
| is_edge | Whether lambda is lambda@Edge or not | bool |
false |
no |
| lambda_permission_configurations | principal - (Required) The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com. source_arn - (Optional) When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from source_account - (Optional) This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner. |
any |
{} |
no |
| lambda_role_arn | The arn of role that already created by something to asso with lambda | string |
"" |
no |
| memory_size | (Optional) Amount of memory in MB your Lambda Function can use at runtime. Defaults to 128. | number |
128 |
no |
| name | Name of the ECS cluster to create | string |
n/a | yes |
| plaintext_params | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for values read from a config file. ! PLAINTEXT const config = JSON.parse(readFileSync('./config.json')) |
map(string) |
{} |
no |
| prefix | The prefix name of customer to be displayed in AWS console and resource | string |
n/a | yes |
| reserved_concurrent_executions | (Optional) Amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1. See Managing Concurrency | number |
-1 |
no |
| runtime | The runtime of the lambda function | string |
n/a | yes |
| source_code_dir | An absolute path to the directory containing the code to upload to lambda | string |
"" |
no |
| ssm_params | Lambda@Edge does not support env vars, so it is a common pattern to exchange Env vars for SSM params. ! SECRET you would have lookups in SSM, like: const someEnvValue = await ssmClient.getParameter({ Name: 'SOME_SSM_PARAM_NAME', WithDecryption: true }) |
map(string) |
{} |
no |
| tags | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | map(any) |
{} |
no |
| timeout | (Optional) Amount of time your Lambda Function has to run in seconds. Defaults to 3. | number |
3 |
no |
| tracing_mode | Tracing mode of the Lambda Function. Valid value can be either PassThrough or Active. | string |
"PassThrough" |
no |
| vpc_config | For network connectivity to AWS resources in a VPC, specify a list of security groups and subnets in the VPC. When you connect a function to a VPC, it can only access resources and the internet through that VPC. See VPC Settings. security_group_ids - (Required) List of security group IDs associated with the Lambda function. subnet_ids_to_associate - (Required) List of subnet IDs associated with the Lambda function. |
object({ |
{ |
no |
| Name | Description |
|---|---|
| arn | Amazon Resource Name (ARN) identifying your Lambda Function. |
| execution_role_arn | Role arn of lambda |
| function_arn | function arn |
| function_name | Name of AWS Lambda function |