{"id":17647951,"url":"https://github.com/moritzzimmer/terraform-aws-lambda","last_synced_at":"2025-10-05T08:35:25.366Z","repository":{"id":37090507,"uuid":"285833608","full_name":"moritzzimmer/terraform-aws-lambda","owner":"moritzzimmer","description":"A Terraform module to create AWS Lambda ressources.","archived":false,"fork":false,"pushed_at":"2025-03-17T05:16:03.000Z","size":895,"stargazers_count":57,"open_issues_count":1,"forks_count":34,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-30T08:11:49.409Z","etag":null,"topics":["aws","aws-lambda","dynamodb","eventbridge","kinesis","lambda","serverless","sns","sqs","terraform","terraform-module","terraform-serverless"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/moritzzimmer/lambda/aws","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/moritzzimmer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-08-07T13:17:57.000Z","updated_at":"2025-01-28T10:32:39.000Z","dependencies_parsed_at":"2024-03-27T12:27:51.645Z","dependency_job_id":"cf8b9e52-6053-407d-9569-e525e380de2f","html_url":"https://github.com/moritzzimmer/terraform-aws-lambda","commit_stats":null,"previous_names":[],"tags_count":87,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moritzzimmer%2Fterraform-aws-lambda","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moritzzimmer%2Fterraform-aws-lambda/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moritzzimmer%2Fterraform-aws-lambda/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moritzzimmer%2Fterraform-aws-lambda/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/moritzzimmer","download_url":"https://codeload.github.com/moritzzimmer/terraform-aws-lambda/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247457803,"owners_count":20941906,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-lambda","dynamodb","eventbridge","kinesis","lambda","serverless","sns","sqs","terraform","terraform-module","terraform-serverless"],"created_at":"2024-10-23T11:15:06.570Z","updated_at":"2025-10-05T08:35:25.359Z","avatar_url":"https://github.com/moritzzimmer.png","language":"HCL","readme":"# AWS Lambda Terraform module\n\n![](https://github.com/moritzzimmer/terraform-aws-lambda/workflows/static%20analysis/badge.svg) [![Terraform Module Registry](https://img.shields.io/badge/Terraform%20Module%20Registry-8.4.0-blue.svg)](https://registry.terraform.io/modules/moritzzimmer/lambda/aws/8.4.0) ![Terraform Version](https://img.shields.io/badge/Terraform-0.12+-green.svg) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n\nTerraform module to create AWS [Lambda](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) and accompanying resources for an efficient and secure\ndevelopment of Lambda functions like:\n\n- inline declaration of triggers for DynamodDb, EventBridge (CloudWatch Events), Kinesis, SNS or SQS including all required permissions\n- IAM role with permissions following the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege)\n- CloudWatch Logs and Lambda Insights configuration\n- [blue/green deployments](https://github.com/moritzzimmer/terraform-aws-lambda/blob/main/modules/deployment/README.md) with AWS CodePipeline and CodeDeploy\n\n## Features\n\n- IAM role with permissions following the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege)\n- inline declaration of [Event Source Mappings](https://www.terraform.io/docs/providers/aws/r/lambda_event_source_mapping.html) for DynamoDb, Kinesis and SQS triggers including required permissions (see [examples](examples/with-event-source-mappings)).\n- inline declaration of [SNS Topic Subscriptions](https://www.terraform.io/docs/providers/aws/r/sns_topic_subscription.html) including required [Lambda permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) (see [example](examples/with-sns-subscriptions))\n- inline declaration of [CloudWatch Event Rules](https://www.terraform.io/docs/providers/aws/r/cloudwatch_event_rule.html) including required [Lambda permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) (see [example](examples/with-cloudwatch-event-rules))\n- IAM permissions for read access to parameters from [AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html)\n- [CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html) Log group configuration including retention time and [subscription filters](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html) with required permissions\nto stream logs to other Lambda functions (e.g. forwarding logs to Elasticsearch)\n- Lambda@Edge support fulfilling [requirements for CloudFront triggers](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-requirements-limits.html#lambda-requirements-cloudfront-triggers). Functions need\nto be deployed to US East (N. Virginia) region (`us-east-1`)\n- configuration for [Amazon CloudWatch Lambda Insights](https://docs.aws.amazon.com/lambda/latest/dg/monitoring-insights.html) including required\n  permissions and Lambda Layer, see [details](#with-cloudwatch-lambda-insights)\n- add-on [module](modules/deployment) for controlled blue/green deployments using AWS [CodePipeline](https://docs.aws.amazon.com/codepipeline/latest/userguide/welcome.html)\n  and [CodeDeploy](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-steps-lambda.html) including all required permissions (see [examples](examples/deployment)).\n  Optionally ignore terraform state changes resulting from those deployments (using `ignore_external_function_updates`).\n\n## How do I use this module?\n\nThe module can be used for all [runtimes](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html) supported by AWS Lambda.\n\nDeployment packages can be specified either directly as a local file (using the `filename` argument), indirectly via Amazon S3 (using the `s3_bucket`, `s3_key` and `s3_object_versions` arguments)\nor using [container images](https://docs.aws.amazon.com/lambda/latest/dg/lambda-images.html) (using `image_uri` and `package_type` arguments),\nsee [documentation](https://www.terraform.io/docs/providers/aws/r/lambda_function.html#specifying-the-deployment-package) for details.\n\n### basic\n\nsee [example](examples/complete) for more configuration options\n\n```hcl\nprovider \"aws\" {\n  region = \"eu-west-1\"\n}\n\nmodule \"lambda\" {\n  source           = \"moritzzimmer/lambda/aws\"\n\n  filename         = \"my-package.zip\"\n  function_name    = \"my-function\"\n  handler          = \"my-handler\"\n  runtime          = \"go1.x\"\n  source_code_hash = filebase64sha256(\"${path.module}/my-package.zip\")\n}\n```\n\n### using container images\n\nsee [example](examples/container-image) for details\n\n```hcl\nmodule \"lambda\" {\n  source        = \"moritzzimmer/lambda/aws\"\n\n  function_name = \"my-function\"\n  image_uri     = \"111111111111.dkr.ecr.eu-west-1.amazonaws.com/my-image\"\n  package_type  = \"Image\"\n}\n```\n\n### with Amazon EventBridge (CloudWatch Events) rules\n\n[CloudWatch Event Rules](https://www.terraform.io/docs/providers/aws/r/cloudwatch_event_rule.html) to trigger your Lambda function\nby [EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/what-is-amazon-eventbridge.html) patterns or on a regular, scheduled basis can\nbe declared inline. The module will create the required [Lambda permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission)\nautomatically.\n\nsee [example](examples/with-cloudwatch-event-rules) for details\n\n```hcl\nmodule \"lambda\" {\n  // see above\n\n  cloudwatch_event_rules = {\n    scheduled = {\n      schedule_expression = \"rate(1 minute)\"\n\n      // optionally overwrite arguments like 'description'\n      // from https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule\n      description = \"Triggered by CloudTrail\"\n\n      // optionally overwrite `cloudwatch_event_target_arn` in case an alias should be used for the event rule\n      cloudwatch_event_target_arn = aws_lambda_alias.example.arn\n\n      // optionally add `cloudwatch_event_target_input` for event input\n      cloudwatch_event_target_input = jsonencode({\"key\": \"value\"})\n    }\n\n    pattern = {\n      event_pattern = \u003c\u003cPATTERN\n      {\n        \"detail-type\": [\n          \"AWS Console Sign In via CloudTrail\"\n        ]\n      }\n      PATTERN\n    }\n  }\n}\n```\n\n### with event source mappings\n\n[Event Source Mappings](https://www.terraform.io/docs/providers/aws/r/lambda_event_source_mapping.html) to trigger your Lambda function by DynamoDb,\nKinesis and SQS can be declared inline. The module will add the required read-only IAM permissions depending on the event source type to\nthe function role automatically (including support for [dedicated-throughput consumers](https://docs.aws.amazon.com/lambda/latest/dg/with-kinesis.html#services-kinesis-configure) using enhanced fan-out).\n\nPermissions to send discarded batches to SNS or SQS will be added automatically, if `destination_arn_on_failure` is configured.\n\nsee [examples](examples/with-event-source-mappings) for details\n\n#### DynamoDb\n\n```hcl\nmodule \"lambda\" {\n  // see above\n\n  event_source_mappings = {\n    table_1 = {\n      event_source_arn  = aws_dynamodb_table.table_1.stream_arn\n\n      // optionally overwrite arguments like 'batch_size'\n      // from https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping\n      batch_size        = 50\n      starting_position = \"LATEST\"\n\n      // optionally configure a SNS or SQS destination for discarded batches, required IAM\n      // permissions will be added automatically by this module,\n      // see https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventsourcemapping.html\n      destination_arn_on_failure = aws_sqs_queue.errors.arn\n\n      // optionally overwrite function_name in case an alias should be used in the\n      // event source mapping, see https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html\n      function_name = aws_lambda_alias.example.arn\n\n      // Lambda event filtering, see https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventfiltering.html\n      filter_criteria = [\n        {\n          pattern = jsonencode({\n            data : {\n              Key1 : [\"Value1\"]\n            }\n          })\n        },\n        {\n          pattern = jsonencode({\n            data : {\n              Key2 : [{ \"anything-but\" : [\"Value2\"] }]\n            }\n          })\n        }\n      ]\n    }\n\n    table_2 = {\n      event_source_arn = aws_dynamodb_table.table_2.stream_arn\n    }\n  }\n}\n```\n\n#### Kinesis\n\n```hcl\nresource \"aws_kinesis_stream_consumer\" \"this\" {\n  name       = module.lambda.function_name\n  stream_arn = aws_kinesis_stream.stream_2.arn\n}\n\nmodule \"lambda\" {\n  // see above\n\n  event_source_mappings = {\n    stream_1 = {\n      // To use a dedicated-throughput consumer with enhanced fan-out, specify the consumer's ARN instead of the stream's ARN, see https://docs.aws.amazon.com/lambda/latest/dg/with-kinesis.html#services-kinesis-configure\n      event_source_arn = aws_kinesis_stream_consumer.this.arn\n    }\n  }\n}\n\n```\n\n### with SNS subscriptions\n\n[SNS Topic Subscriptions](https://www.terraform.io/docs/providers/aws/r/sns_topic_subscription.html) to trigger your Lambda function by SNS can de declared inline.\nThe module will create the required [Lambda permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) automatically.\n\nsee [example](examples/with-sns-subscriptions) for details\n\n```hcl\nmodule \"lambda\" {\n  // see above\n\n  sns_subscriptions = {\n    topic_1 = {\n      topic_arn = aws_sns_topic.topic_1.arn\n\n      // optionally overwrite `endpoint` in case an alias should be used for the SNS subscription\n      endpoint  = aws_lambda_alias.example.arn\n    }\n\n    topic_2 = {\n      topic_arn = aws_sns_topic.topic_2.arn\n    }\n  }\n}\n```\n\n### with access to AWS Systems Manager Parameter Store\n\nRequired IAM permissions to get parameter(s) from [AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html)\n(by path or name) can added to the Lambda role:\n\n```hcl\nmodule \"lambda\" {\n  // see above\n\n  ssm = {\n      parameter_names = [aws_ssm_parameter.string.name, aws_ssm_parameter.secure_string.name]\n  }\n}\n```\n\n### with CloudWatch Logs configuration\n\nBy default, the module will create and manage a [CloudWatch Log Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) for your Lambda function.\nIt's possible to configure settings like retention time and [KMS encryption](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html)\nfor this log group.\n\nIn addition, the module also supports [advanced logging configuration](https://docs.aws.amazon.com/lambda/latest/dg/monitoring-cloudwatchlogs-loggroups.html)\nwhich provides the ability to define a custom name for the module managed log group as well as specifying an existing log group to be used by the Lambda function instead.\n\n[CloudWatch Logs subscription filters](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_subscription_filter)\nto stream logs to other Lambda functions (e.g. to forward logs to Amazon OpenSearch Service) can be declared inline\nfor the module managed log group or an existing log group.\n\nThe module will create the required [IAM permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) for CloudWatch logs automatically. Those permissions can be removed by setting `cloudwatch_logs_enabled = false`.\n\nsee [example](examples/cloudwatch-logs) for details\n\n```hcl\nmodule \"lambda\" {\n  // see above\n\n  // remove CloudWatch logs IAM permissions\n  // cloudwatch_logs_enabled = false\n\n  // configure module managed log group\n  cloudwatch_logs_log_group_class   = \"STANDARD\"\n  cloudwatch_logs_retention_in_days = 7\n  cloudwatch_logs_skip_destroy      = false\n\n  // advanced logging config including a custom CloudWatch log group managed by the module\n  logging_config = {\n    application_log_level = \"INFO\"\n    log_format            = \"JSON\"\n    log_group             = \"/custom/my_function_name\"\n    system_log_level      = \"WARN\"\n  }\n\n  // register log subscription filters for the functions log group\n  cloudwatch_log_subscription_filters = {\n    sub_1 = {\n      // see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_subscription_filter for available arguments\n      destination_arn = module.sub_1.arn\n      filter_pattern  = \"%Lambda%\"\n    }\n  }\n}\n\nresource \"aws_cloudwatch_log_group\" \"existing\" {\n  name              = \"/existing/${module.fixtures.output_function_name}\"\n  retention_in_days = 1\n}\n\nmodule \"sub_1\" {\n  source = \"../../\"\n\n  // other required arguments\n\n  // disable creation of the module managed CloudWatch log group\n  create_cloudwatch_log_group = false\n\n  // advanced logging config using an external CloudWatch log group\n  logging_config = {\n    log_format = \"Text\"\n    log_group  = aws_cloudwatch_log_group.existing.name\n  }\n}\n```\n\n### with CloudWatch Lambda Insights\n\n[Amazon CloudWatch Lambda Insights](https://docs.aws.amazon.com/lambda/latest/dg/monitoring-insights.html) can be enabled for `zip` and `image` function\ndeployment packages of all [runtimes](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-extensions-api.html) supporting Lambda extensions.\n\nThis module will add the required IAM permissions to the function role automatically for both package types. In case of a `zip` deployment package,\nthe region and architecture specific [layer version](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versions.html)\nneeds to specified in `layers`.\n\n```hcl\nmodule \"lambda\" {\n  // see above\n\n  cloudwatch_lambda_insights_enabled = true\n\n  // see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versions.html\n  layers = \"arn:aws:lambda:eu-west-1:580247275435:layer:LambdaInsightsExtension:16\"\n}\n```\n\nFor `image` deployment packages, the Lambda Insights extension needs to be added to the [container image](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-Getting-Started-docker.html):\n\n```dockerfile\nFROM public.ecr.aws/lambda/nodejs:22\n\nRUN curl -O https://lambda-insights-extension.s3-ap-northeast-1.amazonaws.com/amazon_linux/lambda-insights-extension.rpm \u0026\u0026 \\\n    rpm -U lambda-insights-extension.rpm \u0026\u0026 \\\n    rm -f lambda-insights-extension.rpm\n\nCOPY index.js /var/task/\n```\n\n## Deployments\n\nControlled, blue/green deployments of Lambda functions with (automatic) rollbacks and traffic shifting can be implemented using\nLambda [aliases](https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html) and AWS [CodeDeploy](https://docs.aws.amazon.com/codedeploy/latest/userguide/welcome.html).\n\nThe [deployment](modules/deployment) submodule can be used to create the required AWS [CodePipeline](https://docs.aws.amazon.com/codepipeline/latest/userguide/welcome.html), [CodeBuild](https://docs.aws.amazon.com/codebuild/latest/userguide/welcome.html)\nand [CodeDeploy](https://docs.aws.amazon.com/codedeploy/latest/userguide/welcome.html) resources and permissions to execute secure deployments of S3 or containerized Lambda functions in your AWS account,\nsee [examples](examples/deployment) for details.\n\n## Examples\n\n- [complete](examples/complete)\n- [container-image](examples/container-image)\n- [deployment](examples/deployment)\n- [with-cloudwatch-event-rules](examples/with-cloudwatch-event-rules)\n- [with-cloudwatch-logs-subscription](examples/cloudwatch-logs)\n- [with-event-source-mappings](examples/with-event-source-mappings)\n- [with-sns-subscriptions](examples/with-sns-subscriptions)\n- [with-vpc](examples/with-vpc)\n\n\n## Bootstrap new projects\n\nIn case you are using [go](https://golang.org/) for developing your Lambda functions, you can also use [func](https://github.com/moritzzimmer/func) to bootstrap your project and get started quickly.\n\n## How do I contribute to this module?\n\nContributions are very welcome! Check out the [Contribution Guidelines](https://github.com/moritzzimmer/terraform-aws-lambda/blob/main/CONTRIBUTING.md) for instructions.\n\n## How is this module versioned?\n\nThis Module follows the principles of [Semantic Versioning](http://semver.org/). You can find each new release in the [releases page](../../releases).\n\nDuring initial development, the major version will be 0 (e.g., `0.x.y`), which indicates the code does not yet have a\nstable API. Once we hit `1.0.0`, we will make every effort to maintain a backwards compatible API and use the MAJOR,\nMINOR, and PATCH versions on each release to indicate any incompatibilities.\n\n## History\n\nImplementation of this module started at [Spring Media/Welt](https://github.com/spring-media/terraform-aws-lambda). Users of `spring-media/lambda/aws`\nshould migrate to this module as a drop-in replacement to benefit from new features and bugfixes.\n\n\u003c!-- BEGIN_TF_DOCS --\u003e\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.5.7 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 6.0 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | \u003e= 6.0 |\n\n## Modules\n\nNo modules.\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_cloudwatch_event_rule.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |\n| [aws_cloudwatch_event_target.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |\n| [aws_cloudwatch_log_group.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |\n| [aws_cloudwatch_log_subscription_filter.cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_subscription_filter) | resource |\n| [aws_iam_role.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_iam_role_policy.event_sources](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |\n| [aws_iam_role_policy.lambda_insights](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |\n| [aws_iam_role_policy.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |\n| [aws_iam_role_policy.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |\n| [aws_iam_role_policy.tracing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |\n| [aws_iam_role_policy.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |\n| [aws_lambda_event_source_mapping.event_source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |\n| [aws_lambda_function.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |\n| [aws_lambda_function.lambda_external_lifecycle](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |\n| [aws_lambda_permission.cloudwatch_events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |\n| [aws_lambda_permission.cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |\n| [aws_lambda_permission.sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |\n| [aws_sns_topic_subscription.subscription](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |\n| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |\n| [aws_cloudwatch_log_group.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudwatch_log_group) | data source |\n| [aws_iam_policy.lambda_insights](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |\n| [aws_iam_policy.tracing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |\n| [aws_iam_policy.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |\n| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.event_sources](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |\n| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_architectures\"\u003e\u003c/a\u003e [architectures](#input\\_architectures) | Instruction set architecture for your Lambda function. Valid values are [\"x86\\_64\"] and [\"arm64\"]. Removing this attribute, function's architecture stay the same. | `list(string)` | `null` | no |\n| \u003ca name=\"input_cloudwatch_event_rules\"\u003e\u003c/a\u003e [cloudwatch\\_event\\_rules](#input\\_cloudwatch\\_event\\_rules) | Creates EventBridge (CloudWatch Events) rules invoking your Lambda function. Required Lambda invocation permissions will be generated. | `map(any)` | `{}` | no |\n| \u003ca name=\"input_cloudwatch_lambda_insights_enabled\"\u003e\u003c/a\u003e [cloudwatch\\_lambda\\_insights\\_enabled](#input\\_cloudwatch\\_lambda\\_insights\\_enabled) | Enable CloudWatch Lambda Insights for your Lambda function. | `bool` | `false` | no |\n| \u003ca name=\"input_cloudwatch_log_subscription_filters\"\u003e\u003c/a\u003e [cloudwatch\\_log\\_subscription\\_filters](#input\\_cloudwatch\\_log\\_subscription\\_filters) | CloudWatch Logs subscription filter resources. Currently supports only Lambda functions as destinations. | `map(any)` | `{}` | no |\n| \u003ca name=\"input_cloudwatch_logs_enabled\"\u003e\u003c/a\u003e [cloudwatch\\_logs\\_enabled](#input\\_cloudwatch\\_logs\\_enabled) | Enables your Lambda function to send logs to CloudWatch. The IAM role of this Lambda function will be enhanced with required permissions. | `bool` | `true` | no |\n| \u003ca name=\"input_cloudwatch_logs_kms_key_id\"\u003e\u003c/a\u003e [cloudwatch\\_logs\\_kms\\_key\\_id](#input\\_cloudwatch\\_logs\\_kms\\_key\\_id) | The ARN of the KMS Key to use when encrypting log data. | `string` | `null` | no |\n| \u003ca name=\"input_cloudwatch_logs_log_group_class\"\u003e\u003c/a\u003e [cloudwatch\\_logs\\_log\\_group\\_class](#input\\_cloudwatch\\_logs\\_log\\_group\\_class) | Specifies the log class of the log group. Possible values are: `STANDARD`, `INFREQUENT_ACCESS`, or `DELIVERY`. | `string` | `null` | no |\n| \u003ca name=\"input_cloudwatch_logs_retention_in_days\"\u003e\u003c/a\u003e [cloudwatch\\_logs\\_retention\\_in\\_days](#input\\_cloudwatch\\_logs\\_retention\\_in\\_days) | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. | `number` | `null` | no |\n| \u003ca name=\"input_cloudwatch_logs_skip_destroy\"\u003e\u003c/a\u003e [cloudwatch\\_logs\\_skip\\_destroy](#input\\_cloudwatch\\_logs\\_skip\\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state. | `bool` | `false` | no |\n| \u003ca name=\"input_create_cloudwatch_log_group\"\u003e\u003c/a\u003e [create\\_cloudwatch\\_log\\_group](#input\\_create\\_cloudwatch\\_log\\_group) | Create and manage the CloudWatch Log Group for the Lambda function. Set to `false` to reuse an existing log group. | `bool` | `true` | no |\n| \u003ca name=\"input_description\"\u003e\u003c/a\u003e [description](#input\\_description) | Description of what your Lambda Function does. | `string` | `\"\"` | no |\n| \u003ca name=\"input_environment\"\u003e\u003c/a\u003e [environment](#input\\_environment) | Environment (e.g. env variables) configuration for the Lambda function enable you to dynamically pass settings to your function code and libraries | \u003cpre\u003eobject({\u003cbr/\u003e    variables = map(string)\u003cbr/\u003e  })\u003c/pre\u003e | `null` | no |\n| \u003ca name=\"input_ephemeral_storage_size\"\u003e\u003c/a\u003e [ephemeral\\_storage\\_size](#input\\_ephemeral\\_storage\\_size) | The size of your Lambda functions ephemeral storage (/tmp) represented in MB. Valid value between 512 MB to 10240 MB. | `number` | `512` | no |\n| \u003ca name=\"input_event_source_mappings\"\u003e\u003c/a\u003e [event\\_source\\_mappings](#input\\_event\\_source\\_mappings) | Creates event source mappings to allow the Lambda function to get events from Kinesis, DynamoDB and SQS. The IAM role of this Lambda function will be enhanced with necessary minimum permissions to get those events. | `any` | `{}` | no |\n| \u003ca name=\"input_filename\"\u003e\u003c/a\u003e [filename](#input\\_filename) | The path to the function's deployment package within the local filesystem. If defined, The s3\\_-prefixed options and image\\_uri cannot be used. | `string` | `null` | no |\n| \u003ca name=\"input_function_name\"\u003e\u003c/a\u003e [function\\_name](#input\\_function\\_name) | A unique name for your Lambda Function. | `string` | n/a | yes |\n| \u003ca name=\"input_handler\"\u003e\u003c/a\u003e [handler](#input\\_handler) | The function entrypoint in your code. | `string` | `\"\"` | no |\n| \u003ca name=\"input_iam_role_name\"\u003e\u003c/a\u003e [iam\\_role\\_name](#input\\_iam\\_role\\_name) | Override the name of the IAM role for the function. Otherwise the default will be your function name with the region as a suffix. | `string` | `null` | no |\n| \u003ca name=\"input_ignore_external_function_updates\"\u003e\u003c/a\u003e [ignore\\_external\\_function\\_updates](#input\\_ignore\\_external\\_function\\_updates) | Ignore updates to your Lambda function executed externally to the Terraform lifecycle. Set this to `true` if you're using CodeDeploy, aws CLI or other external tools to update your Lambda function code. | `bool` | `false` | no |\n| \u003ca name=\"input_image_config\"\u003e\u003c/a\u003e [image\\_config](#input\\_image\\_config) | The Lambda OCI [image configurations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#image_config) block with three (optional) arguments:\u003cbr/\u003e\u003cbr/\u003e  - *entry\\_point* - The ENTRYPOINT for the docker image (type `list(string)`).\u003cbr/\u003e  - *command* - The CMD for the docker image (type `list(string)`).\u003cbr/\u003e  - *working\\_directory* - The working directory for the docker image (type `string`). | `any` | `{}` | no |\n| \u003ca name=\"input_image_uri\"\u003e\u003c/a\u003e [image\\_uri](#input\\_image\\_uri) | The ECR image URI containing the function's deployment package. Conflicts with filename, s3\\_bucket, s3\\_key, and s3\\_object\\_version. | `string` | `null` | no |\n| \u003ca name=\"input_kms_key_arn\"\u003e\u003c/a\u003e [kms\\_key\\_arn](#input\\_kms\\_key\\_arn) | Amazon Resource Name (ARN) of the AWS Key Management Service (KMS) key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key. If this configuration is provided when environment variables are not in use, the AWS Lambda API does not save this configuration and Terraform will show a perpetual difference of adding the key. To fix the perpetual difference, remove this configuration. | `string` | `\"\"` | no |\n| \u003ca name=\"input_lambda_at_edge\"\u003e\u003c/a\u003e [lambda\\_at\\_edge](#input\\_lambda\\_at\\_edge) | Enable Lambda@Edge for your Node.js or Python functions. Required trust relationship and publishing of function versions will be configured. | `bool` | `false` | no |\n| \u003ca name=\"input_layers\"\u003e\u003c/a\u003e [layers](#input\\_layers) | List of Lambda Layer Version ARNs (maximum of 5) to attach to your Lambda Function. | `list(string)` | `[]` | no |\n| \u003ca name=\"input_logging_config\"\u003e\u003c/a\u003e [logging\\_config](#input\\_logging\\_config) | Configuration block for advanced logging settings. | \u003cpre\u003eobject({\u003cbr/\u003e    log_format            = string\u003cbr/\u003e    application_log_level = optional(string, null)\u003cbr/\u003e    log_group             = optional(string, null)\u003cbr/\u003e    system_log_level      = optional(string, null)\u003cbr/\u003e  })\u003c/pre\u003e | `null` | no |\n| \u003ca name=\"input_memory_size\"\u003e\u003c/a\u003e [memory\\_size](#input\\_memory\\_size) | Amount of memory in MB your Lambda Function can use at runtime. | `number` | `128` | no |\n| \u003ca name=\"input_package_type\"\u003e\u003c/a\u003e [package\\_type](#input\\_package\\_type) | The Lambda deployment package type. Valid values are Zip and Image. | `string` | `\"Zip\"` | no |\n| \u003ca name=\"input_publish\"\u003e\u003c/a\u003e [publish](#input\\_publish) | Whether to publish creation/change as new Lambda Function Version. | `bool` | `false` | no |\n| \u003ca name=\"input_region\"\u003e\u003c/a\u003e [region](#input\\_region) | Alternative region used in all region-aware resources. If not set, the provider's region will be used. | `string` | `null` | no |\n| \u003ca name=\"input_replace_security_groups_on_destroy\"\u003e\u003c/a\u003e [replace\\_security\\_groups\\_on\\_destroy](#input\\_replace\\_security\\_groups\\_on\\_destroy) | (Optional) Whether to replace the security groups on the function's VPC configuration prior to destruction. Removing these security group associations prior to function destruction can speed up security group deletion times of AWS's internal cleanup operations. By default, the security groups will be replaced with the default security group in the function's configured VPC. Set the `replacement_security_group_ids` attribute to use a custom list of security groups for replacement. | `bool` | `null` | no |\n| \u003ca name=\"input_replacement_security_group_ids\"\u003e\u003c/a\u003e [replacement\\_security\\_group\\_ids](#input\\_replacement\\_security\\_group\\_ids) | (Optional) List of security group IDs to assign to the function's VPC configuration prior to destruction. `replace_security_groups_on_destroy` must be set to `true` to use this attribute. | `list(string)` | `null` | no |\n| \u003ca name=\"input_reserved_concurrent_executions\"\u003e\u003c/a\u003e [reserved\\_concurrent\\_executions](#input\\_reserved\\_concurrent\\_executions) | The amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. | `number` | `-1` | no |\n| \u003ca name=\"input_runtime\"\u003e\u003c/a\u003e [runtime](#input\\_runtime) | The runtime environment for the Lambda function you are uploading. | `string` | `\"\"` | no |\n| \u003ca name=\"input_s3_bucket\"\u003e\u003c/a\u003e [s3\\_bucket](#input\\_s3\\_bucket) | The S3 bucket location containing the function's deployment package. Conflicts with filename and image\\_uri. This bucket must reside in the same AWS region where you are creating the Lambda function. | `string` | `null` | no |\n| \u003ca name=\"input_s3_key\"\u003e\u003c/a\u003e [s3\\_key](#input\\_s3\\_key) | The S3 key of an object containing the function's deployment package. Conflicts with filename and image\\_uri. | `string` | `null` | no |\n| \u003ca name=\"input_s3_object_version\"\u003e\u003c/a\u003e [s3\\_object\\_version](#input\\_s3\\_object\\_version) | The object version containing the function's deployment package. Conflicts with filename and image\\_uri. | `string` | `null` | no |\n| \u003ca name=\"input_snap_start\"\u003e\u003c/a\u003e [snap\\_start](#input\\_snap\\_start) | Enable snap start settings for low-latency startups. This feature is currently only supported for `java11` and `java17` runtimes and `x86_64` architectures. | `bool` | `false` | no |\n| \u003ca name=\"input_sns_subscriptions\"\u003e\u003c/a\u003e [sns\\_subscriptions](#input\\_sns\\_subscriptions) | Creates subscriptions to SNS topics which trigger your Lambda function. Required Lambda invocation permissions will be generated. | `map(any)` | `{}` | no |\n| \u003ca name=\"input_source_code_hash\"\u003e\u003c/a\u003e [source\\_code\\_hash](#input\\_source\\_code\\_hash) | Used to trigger updates. Must be set to a base64-encoded SHA256 hash of the package file specified with either filename or s3\\_key. The usual way to set this is filebase64sha256('file.zip') where 'file.zip' is the local filename of the lambda function source archive. | `string` | `\"\"` | no |\n| \u003ca name=\"input_ssm\"\u003e\u003c/a\u003e [ssm](#input\\_ssm) | List of AWS Systems Manager Parameter Store parameter names. The IAM role of this Lambda function will be enhanced with read permissions for those parameters. Parameters must start with a forward slash and can be encrypted with the default KMS key. | \u003cpre\u003eobject({\u003cbr/\u003e    parameter_names = list(string)\u003cbr/\u003e  })\u003c/pre\u003e | `null` | no |\n| \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags) | A mapping of tags to assign to the Lambda function and all resources supporting tags. | `map(string)` | `{}` | no |\n| \u003ca name=\"input_timeout\"\u003e\u003c/a\u003e [timeout](#input\\_timeout) | The amount of time your Lambda Function has to run in seconds. | `number` | `3` | no |\n| \u003ca name=\"input_tracing_config_mode\"\u003e\u003c/a\u003e [tracing\\_config\\_mode](#input\\_tracing\\_config\\_mode) | Tracing config mode of the Lambda function. Can be either PassThrough or Active. | `string` | `null` | no |\n| \u003ca name=\"input_vpc_config\"\u003e\u003c/a\u003e [vpc\\_config](#input\\_vpc\\_config) | Provide this to allow your function to access your VPC (if both `subnet_ids` and `security_group_ids` are empty then vpc\\_config is considered to be empty or unset, see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html for details). | \u003cpre\u003eobject({\u003cbr/\u003e    ipv6_allowed_for_dual_stack = optional(bool, false)\u003cbr/\u003e    security_group_ids          = list(string)\u003cbr/\u003e    subnet_ids                  = list(string)\u003cbr/\u003e  })\u003c/pre\u003e | `null` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_arn\"\u003e\u003c/a\u003e [arn](#output\\_arn) | The Amazon Resource Name (ARN) identifying your Lambda Function. |\n| \u003ca name=\"output_cloudwatch_log_group_arn\"\u003e\u003c/a\u003e [cloudwatch\\_log\\_group\\_arn](#output\\_cloudwatch\\_log\\_group\\_arn) | The Amazon Resource Name (ARN) identifying the CloudWatch log group used by your Lambda function. |\n| \u003ca name=\"output_cloudwatch_log_group_name\"\u003e\u003c/a\u003e [cloudwatch\\_log\\_group\\_name](#output\\_cloudwatch\\_log\\_group\\_name) | The name of the CloudWatch log group used by your Lambda function. |\n| \u003ca name=\"output_function_name\"\u003e\u003c/a\u003e [function\\_name](#output\\_function\\_name) | The unique name of your Lambda Function. |\n| \u003ca name=\"output_invoke_arn\"\u003e\u003c/a\u003e [invoke\\_arn](#output\\_invoke\\_arn) | The ARN to be used for invoking Lambda Function from API Gateway - to be used in aws\\_api\\_gateway\\_integration's uri |\n| \u003ca name=\"output_role_arn\"\u003e\u003c/a\u003e [role\\_arn](#output\\_role\\_arn) | The ARN of the IAM role attached to the Lambda Function. |\n| \u003ca name=\"output_role_name\"\u003e\u003c/a\u003e [role\\_name](#output\\_role\\_name) | The name of the IAM role attached to the Lambda Function. |\n| \u003ca name=\"output_version\"\u003e\u003c/a\u003e [version](#output\\_version) | Latest published version of your Lambda Function. |\n\u003c!-- END_TF_DOCS --\u003e\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmoritzzimmer%2Fterraform-aws-lambda","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmoritzzimmer%2Fterraform-aws-lambda","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmoritzzimmer%2Fterraform-aws-lambda/lists"}