terraform-aws-lambda

What's Changed

• refactor(deployment): use aws_s3_bucket_acl resource by @moritzzimmer in https://github.com/moritzzimmer/terraform-aws-lambda/pull/62
• chore: upated tflint and added tfsec action by @moritzzimmer in https://github.com/moritzzimmer/terraform-aws-lambda/pull/64
• feat: add input argument for cloudwatch_event_target by @ablotny in https://github.com/moritzzimmer/terraform-aws-lambda/pull/63

New Contributors

• @ablotny made their first contribution in https://github.com/moritzzimmer/terraform-aws-lambda/pull/63

Full Changelog: https://github.com/moritzzimmer/terraform-aws-lambda/compare/v6.3.0...v6.4.0

What's Changed

• feat: added filter criteria for event source mappings by @moritzzimmer in https://github.com/moritzzimmer/terraform-aws-lambda/pull/61

Full Changelog: https://github.com/moritzzimmer/terraform-aws-lambda/compare/v6.2.0...v6.3.0

What's Changed

• feat: added possibility to disable CloudWatch logs by @moritzzimmer in https://github.com/moritzzimmer/terraform-aws-lambda/pull/60

Full Changelog: https://github.com/moritzzimmer/terraform-aws-lambda/compare/v6.1.1...v6.2.0

What's Changed

• chore: bumped dependencies by @moritzzimmer in https://github.com/moritzzimmer/terraform-aws-lambda/pull/59
• fix(IAM): Add kinesis:ListShards IAM permission by @saefty in https://github.com/moritzzimmer/terraform-aws-lambda/pull/58

New Contributors

• @saefty made their first contribution in https://github.com/moritzzimmer/terraform-aws-lambda/pull/58

Full Changelog: https://github.com/moritzzimmer/terraform-aws-lambda/compare/v6.1.0...v6.1.1

What's Changed

• fix: allow Lambda Insights for arm64 and x86_64 architectures by @moritzzimmer in https://github.com/moritzzimmer/terraform-aws-lambda/pull/52

Full Changelog: https://github.com/moritzzimmer/terraform-aws-lambda/compare/v6.0.1...v6.1.0

In this major version release, deprecated terraform sub-modules and workarounds for aws provider versions < 2 have been removed.

Note: Terraform will destroy and then create a replacement of some of the resources when applying this version to existing 5.x stacks, especially the Lambda function and it's IAM role.

In case of Error: error creating IAM Role (my-function-eu-west-1): EntityAlreadyExists: Role with name my-function-eu-west-1 already exists. errors (old role hasn't been fully deleted inside AWS), please apply the changes again.

New features

CloudWatch logs

The possibility to declare CloudWatch logs subscription filters has been enhanced to support:

• multiple subscription filters
• configure properties from cloudwatch_log_subscription_filter

  cloudwatch_log_subscription_filters = {
    lambda_1 = {
      //see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_subscription_filter for available arguments
      destination_arn = module.destination_1.arn // required
    }

    lambda_2 = {
      destination_arn = module.destination_2.arn // required
    }
  }

see example

In addition, the variable name to configure the retention time has been aliged to cloudwatch_logs_retention_in_days.

GovCloud

Hardcoded partition identifiers in ARNs have been refactored to support creating Lambda functions in AWS GovCloud (#50)

Breaking changes

• log_retention_in_days has been renamed to cloudwatch_logs_retention_in_days
• logfilter_destination_arn has been replaced by cloudwatch_log_subscription_filters (see above)
• deprecated event variable has been removed, use specific cloudwatch_event_rules, event_source_mappings or sns_subscriptions instead. Note: there is no replacement for the deprecated s3 sub-module
• deprecated ssm_parameter_names variable has been removed, use ssm instead

What's Changed

• Version 6 by @moritzzimmer in https://github.com/moritzzimmer/terraform-aws-lambda/pull/39

Full Changelog: https://github.com/moritzzimmer/terraform-aws-lambda/compare/v5.17.0...v6.0.0

New Features

Added support for AWS Graviton2 architecture.

Example:

module "lambda" {
  source = "moritzzimmer/lambda/aws"

  architectures    = ["arm64"]
  description      = "powered by AWS Graviton2"
  filename         = module.source.output_path
  function_name    = "arm64"
  handler          = "index.handler"
  runtime          = "nodejs14.x"
  source_code_hash = module.source.output_base64sha256
}

What's Changed

• feat: added graviton support by @moritzzimmer in https://github.com/moritzzimmer/terraform-aws-lambda/pull/49

Full Changelog: https://github.com/moritzzimmer/terraform-aws-lambda/compare/v5.16.0...v5.17.0

New Features

Enhanced the deployment module to support continuous deployment of Lambda functions packaged on S3.

Example:

locals {
  environment   = "production"
  function_name = "example-with-s3-codepipeline"
  s3_key        = "package/lambda.zip"
}

resource "aws_lambda_alias" "this" {
  function_name    = module.lambda.function_name
  function_version = module.lambda.version
  name             = local.environment

  lifecycle {
    ignore_changes = [function_version]
  }
}

module "deployment" {
  source = "moritzzimmer/lambda/aws//modules/deployment"

  alias_name    = aws_lambda_alias.this.name
  function_name = local.function_name
  s3_bucket     = aws_s3_bucket_object.source.bucket
  s3_key        = local.s3_key
}

module "lambda" {
  source        = "moritzzimmer/lambda/aws"

  function_name                    = local.function_name
  handler                          = "index.handler"
  ignore_external_function_updates = true
  publish                          = true
  runtime                          = "nodejs14.x"
  s3_bucket                        = aws_s3_bucket_object.source.bucket
  s3_key                           = local.s3_key
  s3_object_version                = aws_s3_bucket_object.source.version_id
}

resource "aws_s3_bucket" "source" {
  acl           = "private"
  bucket        = "source-bucket"
  force_destroy = true

  versioning {
    enabled = true
  }
}

resource "aws_s3_bucket_public_access_block" "source" {
  bucket = aws_s3_bucket.source.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

see see example for details

Noteworthy

• the dependency to external modules has been removed in favour of standard resources from the aws provider. Upgrading existing projects might result in Error: Error creating S3 bucket: BucketAlreadyOwnedByYou: Your previous request to create the named bucket succeeded and you already own it. errors. In this case run terraform apply again.
• public access to the internal S3 bucket used for CodePipeline has been removed
• container based deployments now publish a new version using update-function-code API call directly. The intermediate step with a wait function is not necessary anymore
• upgraded to python 3.9 in CodeBuild
• CodeDeploy environment (compute type, image and type) are now configurable

Special thanks

Thanks @thisismana for collaborating on this feature

What's Changed

• feat: deployment pipeline for S3 based function packages by @moritzzimmer in https://github.com/moritzzimmer/terraform-aws-lambda/pull/44

Full Changelog: https://github.com/moritzzimmer/terraform-aws-lambda/compare/v5.14.0...v5.15.0

New Features

Added support to configure a SNS or SQS destination for discarded batches in event source mappings (supported for DynamoDb and Kinesis.

Required IAM permissions with minimum priviledges to send SQS messages or publish to a SNS topic will be a added automatically by the module.

Example:

module "lambda" {
  source = "moritzzimmer/lambda/aws"

  description      = "Example usage for an AWS Lambda with a DynamoDb event source mapping"
  filename         = data.archive_file.dynamodb_handler.output_path
  function_name    = "example-with-dynamodb-event-source-mapping"
  handler          = "index.handler"
  runtime          = "nodejs14.x"
  source_code_hash = data.archive_file.dynamodb_handler.output_base64sha256

  event_source_mappings = {
    table_1 = {
      event_source_arn       = aws_dynamodb_table.table_1.stream_arn
      maximum_retry_attempts = 3

      // optionally configure a SNS or SQS destination for discarded batches, required IAM
      // permissions will be added automatically by this module,
      // see https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventsourcemapping.html
      destination_arn_on_failure = aws_sqs_queue.errors.arn
  }
}

resource "aws_sqs_queue" "errors" {
  name = "${module.lambda.function_name}-processing-errors"
}

What's Changed

• feat: added support for on_failure destinations to event source mappings by @moritzzimmer in https://github.com/moritzzimmer/terraform-aws-lambda/pull/43

Full Changelog: https://github.com/moritzzimmer/terraform-aws-lambda/compare/v5.13.0...v5.14.0

New Features

Amazon CloudWatch Lambda Insights

Amazon CloudWatch Lambda Insights can now be enabled for your zip and image deployment packages:

module "lambda" {
  // see above

  cloudwatch_lambda_insights_enabled = true
}

Please check the list of supported runtimes!

This module will add the required IAM permissions to the function role automatically for both package types.

In case of a zip deployment package, this module will also add the appropriate extension layer
to your function (use cloudwatch_lambda_insights_extension_version to set the version of this layer).

For image deployment packages, the Lambda Insights extension needs to be added to the container image:

FROM public.ecr.aws/serverless/extensions/lambda-insights:12 AS lambda-insights

FROM public.ecr.aws/lambda/nodejs:12
COPY --from=lambda-insights /opt /opt
COPY app.js /var/task/

CloudWatch event rules

The possibilities to declare CloudWatch Event Rules inline have been enhanced with this release.

Using the new variable cloudwatch_event_rules you can now:

• declare N event rules instead of only one
• use a Lambda alias as the event traget
• configure all attributes of the event rules inline
• required permissions to trigger Lambda by EventBridge will be generated

module "lambda" {
  // see above

cloudwatch_event_rules = {
    scheduled = {
      schedule_expression = "rate(1 minute)"

      // optionally overwrite arguments like 'description'
      // from https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule
      description = "Triggered by CloudTrail"

      // optionally overwrite `cloudwatch_event_target_arn` in case an alias should be used for the event rule
      cloudwatch_event_target_arn = aws_lambda_alias.example.arn
    }

    pattern = {
      event_pattern = <<PATTERN
      {
        "detail-type": [
          "AWS Console Sign In via CloudTrail"
        ]
      }
      PATTERN
    }
  }
}

see example for details

Deprecations

Using the event variable to configure the cloudwatch-event terraform sub-module is deprecated and will be removed in the next major release. You should be able to migrate to the new variable without downtime.

What's Changed

• added support for CloudWatch Lambda Insights by @moritzzimmer in https://github.com/moritzzimmer/terraform-aws-lambda/pull/30

Full Changelog: https://github.com/moritzzimmer/terraform-aws-lambda/compare/v5.11.0...v5.12.0

New Features

This module now supports creating Lambda@Edge ready versions of your Node.js or Python functions. Required trust relationship and publishing of function versions will be configured automatically (see AWS docs for details).

Example:

provider "aws" {
  region = "eu-west-1"
}

module "lambda" {
  source = "moritzzimmer/lambda/aws"

  description      = "Example usage for an AWS Lambda without an event trigger."
  filename         = module.source.output_path
  function_name    = "example-without-event"
  handler          = "handler"
  lambda_at_edge   = true
  runtime          = "nodejs12.x"
  source_code_hash = module.source.output_base64sha256
}

What's Changed

• added support for Lambda@Edge by @moritzzimmer in https://github.com/moritzzimmer/terraform-aws-lambda/pull/27

Full Changelog: https://github.com/moritzzimmer/terraform-aws-lambda/compare/v5.9.1...v5.10.0

New Features

Controlled, blue/green deployments of Lambda functions with (automatic) rolebacks and traffic shifting can be implemented using Lambda aliases and AWS CodeDeploy.

This release provides a new optional module to create AWS resources and permissions for creating and starting such CodeDeploy deployments as part of AWS CodePipelines.

Highlights:

• fully automated AWS CodePipelines triggered by ECR pushes of containerized Lambda functions
• creation of IAM roles with permissions following the principle of least privilege for CodePipeline, CodeBuild and CodeDeploy or bring your own roles
• optional CodeStar notifications via SNS
• ignore changes to Terraform state of your Lambda function by CodeDeploy deployments

see here for a real world example

backwards compatibility

The deployment is an optional add-on. In case you enhance existing Lambda functions using ignore_external_function_updates your function will be recreated using the new lambda_external_lifecycle resource with
a lifecycle block:

lifecycle {
    ignore_changes = [
      image_uri, last_modified, qualified_arn, version
    ]
  }

Special thanks

Thanks @thisismana for collaborating on this feature

What's Changed

• Deployment of Lambda functions using AWS CodePipeline and CodeDeploy by @moritzzimmer in https://github.com/moritzzimmer/terraform-aws-lambda/pull/23

Full Changelog: https://github.com/moritzzimmer/terraform-aws-lambda/compare/v5.8.0...v5.9.0

New Features

Possibilities to configure SNS subscriptions and event source mappings for Dynamodb, Kinesis and SQS have been enhanced with this release.

Event source mappings

A new variable event_source_mappings has been introduced. The new configuration supports:

• configuration of N event sources instead of only one
• using Lambda aliases in event source mappings
• event sources like SQS queues or Dynamodb tables can be part of the same terraform stack as resources
• inline configuration of attributes of event source mappings like batch_size
• required IAM permissions depending on the event source type will be generated

simple example

module "lambda" {
  event_source_mappings = {
    queue_1 = {
      event_source_arn = aws_sqs_queue.queue_1.arn
    }
    queue_2 = {
      event_source_arn = aws_sqs_queue.queue_2.arn
    }
  }
}

see examples for further details.

SNS subscriptions

A new variable sns_subscriptions has been introduced. The new configuration supports:

• configuration of N subscriptions instead of only one
• using Lambda aliases in subscriptions
• SNS topics can be part of the same terraform stack as resources
• required permissions to trigger Lambda by SNS will be generated

simple example

module "lambda" {
  sns_subscriptions = {
    topic_1 = {
      topic_arn = aws_sns_topic.topic_1.arn
    }

    topic_2 = {
      topic_arn = aws_sns_topic.topic_2.arn
    }
  }
}

see example for further details.

Deprecations

Using the event variable to configure sns, dynamodb, kinesis and sqs terraform sub-modules is deprecated and will be removed in the next major release. Users should be able to migrate to the new variables without downtime.

Special thanks

Thanks @machadovilaca for providing the new sns subscriptions implementation!

Misc

• new/updated examples have been enhanced to contain working nodejs12.x handlers for real world testing
• first terratest for new event source implementation

What's Changed

• use tf version matrix on ci by @moritzzimmer in https://github.com/moritzzimmer/terraform-aws-lambda/pull/16
• Allow multiple SNS topic subscriptions by @machadovilaca in https://github.com/moritzzimmer/terraform-aws-lambda/pull/17
• Refactoring of event source mappings by @moritzzimmer in https://github.com/moritzzimmer/terraform-aws-lambda/pull/19
• added support for using aliases in sns subscriptions by @moritzzimmer in https://github.com/moritzzimmer/terraform-aws-lambda/pull/21

New Contributors

• @machadovilaca made their first contribution in https://github.com/moritzzimmer/terraform-aws-lambda/pull/17

Full Changelog: https://github.com/moritzzimmer/terraform-aws-lambda/compare/v5.7.0...v5.8.0

• added support container images
• minimum aws provider version is now 3.19

What's Changed

• added support for using container images by @moritzzimmer in https://github.com/moritzzimmer/terraform-aws-lambda/pull/15

Full Changelog: https://github.com/moritzzimmer/terraform-aws-lambda/compare/v5.6.0...v5.7.0

Added support to configure tracing with x-ray including IAM permissions.

What's Changed

• tracing config by @moritzzimmer in https://github.com/moritzzimmer/terraform-aws-lambda/pull/12

Full Changelog: https://github.com/moritzzimmer/terraform-aws-lambda/compare/v5.5.2...v5.6.0

Introducing a new configuration object ssm to specify SSM parameter names. The IAM role will be enhanced with read permissions to those parameters.

In addition the variable kms_key_arn will (also) be set in the aws_lambda_function as described in https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#kms_key_arn.

(for spring-media users, this fixes spring-media/terraform-aws-lambda#61 and spring-media/terraform-aws-lambda#59)

Deprecations:

• the old ssm_parameter_names variable is deprecated and scheduled for deletion in the next major release of this module
• using kms_key_arn to create an IAM role attachment to allow kms:Decrypt for custom keys is deprecated and will be removed in the next major release of this module

Added support for Lambda layers:

locals {
  artifact  = "${path.module}/../build/distributions/java-sqs-lambda.zip"
  libraries = "${path.module}/../build/distributions/libraries.zip"
}

data "aws_sqs_queue" "primary" {
  name = "cms-updates-primary"
}

resource "aws_lambda_layer_version" "libraries" {
  filename   = local.libraries
  layer_name = "libraries"

  compatible_runtimes = ["java11"]
}

module "lambda" {
  source  = "moritzzimmer/lambda/aws"
  version = "5.3.0"

  description           = "Java lambda with SQS trigger and lambda layers"
  filename              = local.artifact
  function_name         = "java-sqs-example"
  handler               = "example.Handler"
  layers                = [aws_lambda_layer_version.libraries.arn]
  memory_size           = 1024
  log_retention_in_days = 1
  runtime               = "java11"
  source_code_hash      = filebase64sha256(local.artifact)

  event = {
    type             = "sqs"
    event_source_arn = data.aws_sqs_queue.primary.arn
  }
}