AWS Lambda Terraform module
Upstream version 8.8.0
0 controls from Registry requirements
Terraform Module Source
registry.compliance.tf/terraform-aws-modules/lambda/aws138 unique
| Name | Type | Default | Description |
|---|---|---|---|
| Optional | |||
allowed_triggers | map(any) | {} | Map of allowed triggers to create Lambda permissions |
architectures | list(string) | null | Instruction set architecture for your Lambda function. Valid values are ["x86_64"] and ["arm64"]. |
artifacts_dir | string | "builds" | Directory name where artifacts should be stored |
assume_role_policy_statements | any | {} | Map of dynamic policy statements for assuming Lambda Function role (trust relationship) |
attach_async_event_policy | bool | false | Controls whether async event policy should be added to IAM role for Lambda Function |
attach_cloudwatch_logs_policy | bool | true | Controls whether CloudWatch Logs policy should be added to IAM role for Lambda Function |
attach_create_log_group_permission | bool | true | Controls whether to add the create log group permission to the CloudWatch logs policy |
attach_dead_letter_policy | bool | false | Controls whether SNS/SQS dead letter notification policy should be added to IAM role for Lambda Function |
attach_network_policy | bool | false | Controls whether VPC/network policy should be added to IAM role for Lambda Function |
attach_policies | bool | false | Controls whether list of policies should be added to IAM role for Lambda Function |
attach_policy | bool | false | Controls whether policy should be added to IAM role for Lambda Function |
attach_policy_json | bool | false | Controls whether policy_json should be added to IAM role for Lambda Function |
attach_policy_jsons | bool | false | Controls whether policy_jsons should be added to IAM role for Lambda Function |
attach_policy_statements | bool | false | Controls whether policy_statements should be added to IAM role for Lambda Function |
attach_tracing_policy | bool | false | Controls whether X-Ray tracing policy should be added to IAM role for Lambda Function |
authorization_type | string | "NONE" | The type of authentication that the Lambda Function URL uses. Set to 'AWS_IAM' to restrict access to authenticated IAM users only. Set to 'NONE' to bypass IAM authentication and create a public endpoint. |
build_in_docker | bool | false | Whether to build dependencies in Docker |
cloudwatch_logs_deletion_protection_enabled | bool | null | Whether to enable deletion protection for the log group. |
cloudwatch_logs_kms_key_id | string | null | The ARN of the KMS Key to use when encrypting log data. |
cloudwatch_logs_log_group_class | string | null | Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS` |
cloudwatch_logs_retention_in_days | number | null | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. |
cloudwatch_logs_skip_destroy | bool | false | Whether to keep the log group (and any logs it may contain) at destroy time. |
cloudwatch_logs_tags | map(string) | {} | A map of tags to assign to the resource. |
code_signing_config_arn | string | null | Amazon Resource Name (ARN) for a Code Signing Configuration |
compatible_architectures | list(string) | null | A list of Architectures Lambda layer is compatible with. Currently x86_64 and arm64 can be specified. |
compatible_runtimes | list(string) | [] | A list of Runtimes this layer is compatible with. Up to 5 runtimes can be specified. |
cors | any | {} | CORS settings to be used by the Lambda Function URL |
create | bool | true | Controls whether resources should be created |
create_async_event_config | bool | false | Controls whether async event configuration for Lambda Function/Alias should be created |
create_current_version_allowed_triggers | bool | true | Whether to allow triggers on current version of Lambda Function (this will revoke permissions from previous version because Terraform manages only current resources) |
create_current_version_async_event_config | bool | true | Whether to allow async event configuration on current version of Lambda Function (this will revoke permissions from previous version because Terraform manages only current resources) |
create_function | bool | true | Controls whether Lambda Function resource should be created |
create_lambda_function_url | bool | false | Controls whether the Lambda Function URL resource should be created |
create_layer | bool | false | Controls whether Lambda Layer resource should be created |
create_package | bool | true | Controls whether Lambda package should be created |
create_role | bool | true | Controls whether IAM role for Lambda Function should be created |
create_sam_metadata | bool | false | Controls whether the SAM metadata null resource should be created |
create_unqualified_alias_allowed_triggers | bool | true | Whether to allow triggers on unqualified alias pointing to $LATEST version |
create_unqualified_alias_async_event_config | bool | true | Whether to allow async event configuration on unqualified alias pointing to $LATEST version |
create_unqualified_alias_lambda_function_url | bool | true | Whether to use unqualified alias pointing to $LATEST version in Lambda Function URL |
dead_letter_target_arn | string | null | The ARN of an SNS topic or SQS queue to notify when an invocation fails. |
description | string | "" | Description of your Lambda Function (or Layer) |
destination_on_failure | string | null | Amazon Resource Name (ARN) of the destination resource for failed asynchronous invocations |
destination_on_success | string | null | Amazon Resource Name (ARN) of the destination resource for successful asynchronous invocations |
docker_additional_options | list(string) | [] | Additional options to pass to the docker run command (e.g. to set environment variables, volumes, etc.) |
docker_build_root | string | "" | Root dir where to build in Docker |
docker_entrypoint | string | null | Path to the Docker entrypoint to use |
docker_file | string | "" | Path to a Dockerfile when building in Docker |
docker_image | string | "" | Docker image to use for the build |
docker_pip_cache | any | null | Whether to mount a shared pip cache folder into docker environment or not |
docker_with_ssh_agent | bool | false | Whether to pass SSH_AUTH_SOCK into docker environment or not |
durable_config_execution_timeout | number | null | Maximum execution time in seconds for the durable function. Valid values between 1 and 31622400 (366 days). |
durable_config_retention_period | number | null | Number of days to retain the function's execution state. Valid values between 1 and 90. Defaults to 14 if durable_config is enabled. |
environment_variables | map(string) | {} | A map that defines environment variables for the Lambda Function. |
ephemeral_storage_size | number | 512 | Amount of ephemeral storage (/tmp) in MB your Lambda Function can use at runtime. Valid value between 512 MB to 10,240 MB (10 GB). |
event_source_mapping | any | {} | Map of event source mapping |
file_system_arn | string | null | The Amazon Resource Name (ARN) of the Amazon EFS Access Point that provides access to the file system. |
file_system_local_mount_path | string | null | The path where the function can access the file system, starting with /mnt/. |
function_name | string | "" | A unique name for your Lambda Function |
function_tags | map(string) | {} | A map of tags to assign only to the lambda function |
handler | string | "" | Lambda Function entrypoint in your code |
hash_extra | string | "" | The string to add into hashing function. Useful when building same source path for different functions. |
ignore_source_code_hash | bool | false | Whether to ignore changes to the function's source code hash. Set to true if you manage infrastructure and code deployments separately. |
image_config_command | list(string) | [] | The CMD for the docker image |
image_config_entry_point | list(string) | [] | The ENTRYPOINT for the docker image |
image_config_working_directory | string | null | The working directory for the docker image |
image_uri | string | null | The ECR image URI containing the function's deployment package. |
include_default_tag | bool | true | [Deprecated] Set to false to not include the default tag in the tags map. |
invoke_mode | string | null | Invoke mode of the Lambda Function URL. Valid values are BUFFERED (default) and RESPONSE_STREAM. |
ipv6_allowed_for_dual_stack | bool | null | Allows outbound IPv6 traffic on VPC functions that are connected to dual-stack subnets |
kms_key_arn | string | null | The ARN of KMS key to use by your Lambda Function |
lambda_at_edge | bool | false | Set this to true if using Lambda@Edge, to enable publishing, limit the timeout, and allow edgelambda.amazonaws.com to invoke the function |
lambda_at_edge_logs_all_regions | bool | true | Whether to specify a wildcard in IAM policy used by Lambda@Edge to allow logging in all regions |
lambda_role | string | "" | IAM role ARN attached to the Lambda Function. This governs both who / what can invoke your Lambda Function, as well as what resources our Lambda Function has access to. See Lambda Permission Model for more details. |
layer_name | string | "" | Name of Lambda Layer to create |
layer_skip_destroy | bool | false | Whether to retain the old version of a previously deployed Lambda Layer. |
layers | list(string) | null | List of Lambda Layer Version ARNs (maximum of 5) to attach to your Lambda Function. |
license_info | string | "" | License info for your Lambda Layer. Eg, MIT or full url of a license. |
local_existing_package | string | null | The absolute path to an existing zip-file to use |
logging_application_log_level | string | "INFO" | The application log level of the Lambda Function. Valid values are "TRACE", "DEBUG", "INFO", "WARN", "ERROR", or "FATAL". |
logging_log_format | string | "Text" | The log format of the Lambda Function. Valid values are "JSON" or "Text". |
logging_log_group | string | null | The CloudWatch log group to send logs to. |
logging_system_log_level | string | "INFO" | The system log level of the Lambda Function. Valid values are "DEBUG", "INFO", or "WARN". |
managed_instances_capacity_provider_arn | string | null | ARN of the Capacity Provider. |
maximum_event_age_in_seconds | number | null | Maximum age of a request that Lambda sends to a function for processing in seconds. Valid values between 60 and 21600. |
maximum_retry_attempts | number | null | Maximum number of times to retry when the function returns an error. Valid values between 0 and 2. Defaults to 2. |
memory_size | number | 128 | Amount of memory in MB your Lambda Function can use at runtime. Valid value between 128 MB to 10,240 MB (10 GB), in 64 MB increments. |
number_of_policies | number | 0 | Number of policies to attach to IAM role for Lambda Function |
number_of_policy_jsons | number | 0 | Number of policies JSON to attach to IAM role for Lambda Function |
package_type | string | "Zip" | The Lambda deployment package type. Valid options: Zip or Image |
policies | list(string) | [] | List of policy statements ARN to attach to Lambda Function role |
policy | string | null | An additional policy document ARN to attach to the Lambda Function role |
policy_json | string | null | An additional policy document as JSON to attach to the Lambda Function role |
policy_jsons | list(string) | [] | List of additional policy documents as JSON to attach to Lambda Function role |
policy_name | string | null | IAM policy name. It override the default value, which is the same as role_name |
policy_statements | any | {} | Map of dynamic policy statements to attach to Lambda Function role |
provisioned_concurrent_executions | number | -1 | Amount of capacity to allocate. Set to 1 or greater to enable, or set to 0 to disable provisioned concurrency. |
publish | bool | false | Whether to publish creation/change as new Lambda Function Version. |
putin_khuylo | bool | true | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! |
quiet_archive_local_exec | bool | true | Whether to disable archive local execution output |
recreate_missing_package | bool | true | Whether to recreate missing Lambda package if it is missing locally or not |
recursive_loop | string | null | Lambda function recursion configuration. Valid values are Allow or Terminate. |
region | string | null | Region where the resource(s) will be managed. Defaults to the region set in the provider configuration |
replace_security_groups_on_destroy | bool | null | (Optional) When true, all security groups defined in vpc_security_group_ids will be replaced with the default security group after the function is destroyed. Set the replacement_security_group_ids variable to use a custom list of security groups for replacement instead. |
replacement_security_group_ids | list(string) | null | (Optional) List of security group IDs to assign to orphaned Lambda function network interfaces upon destruction. replace_security_groups_on_destroy must be set to true to use this attribute. |
reserved_concurrent_executions | number | -1 | The amount of reserved concurrent executions for this Lambda Function. A value of 0 disables Lambda Function from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1. |
role_description | string | null | Description of IAM role to use for Lambda Function |
role_force_detach_policies | bool | true | Specifies to force detaching any policies the IAM role has before destroying it. |
role_maximum_session_duration | number | 3600 | Maximum session duration, in seconds, for the IAM role |
role_name | string | null | Name of IAM role to use for Lambda Function |
role_path | string | null | Path of IAM role to use for Lambda Function |
role_permissions_boundary | string | null | The ARN of the policy that is used to set the permissions boundary for the IAM role used by Lambda Function |
role_tags | map(string) | {} | A map of tags to assign to IAM role |
runtime | string | "" | Lambda Function runtime |
s3_acl | string | "private" | The canned ACL to apply. Valid values are private, public-read, public-read-write, aws-exec-read, authenticated-read, bucket-owner-read, and bucket-owner-full-control. Defaults to private. |
s3_bucket | string | null | S3 bucket to store artifacts |
s3_existing_package | map(string) | null | The S3 bucket object with keys bucket, key, version pointing to an existing zip-file to use |
s3_kms_key_id | string | null | Specifies a custom KMS key to use for S3 object encryption. |
s3_object_override_default_tags | bool | false | Whether to override the default_tags from provider? NB: S3 objects support a maximum of 10 tags. |
s3_object_storage_class | string | "ONEZONE_IA" | Specifies the desired Storage Class for the artifact uploaded to S3. Can be either STANDARD, REDUCED_REDUNDANCY, ONEZONE_IA, INTELLIGENT_TIERING, or STANDARD_IA. |
s3_object_tags | map(string) | {} | A map of tags to assign to S3 bucket object. |
s3_object_tags_only | bool | false | Set to true to not merge tags with s3_object_tags. Useful to avoid breaching S3 Object 10 tag limit. |
s3_prefix | string | null | Directory name where artifacts should be stored in the S3 bucket. If unset, the path from `artifacts_dir` is used |
s3_server_side_encryption | string | null | Specifies server-side encryption of the object in S3. Valid values are "AES256" and "aws:kms". |
skip_destroy | bool | null | Set to true if you do not wish the function to be deleted at destroy time, and instead just remove the function from the Terraform state. Useful for Lambda@Edge functions attached to CloudFront distributions. |
snap_start | bool | false | (Optional) Snap start settings for low-latency startups |
source_path | any | null | The absolute path to a local file or directory containing your Lambda source code |
store_on_s3 | bool | false | Whether to store produced artifacts on S3 or locally. |
tags | map(string) | {} | A map of tags to assign to resources. |
tenant_isolation_mode | bool | false | Enable tenant isolation mode for the Lambda Function |
timeout | number | 3 | The amount of time your Lambda Function has to run in seconds. |
timeouts | map(string) | {} | Define maximum timeout for creating, updating, and deleting Lambda Function resources |
tracing_mode | string | null | Tracing mode of the Lambda Function. Valid value can be either PassThrough or Active. |
trigger_on_package_timestamp | bool | true | Whether to recreate the Lambda package if the timestamp changes |
trusted_entities | any | [] | List of additional trusted entities for assuming Lambda Function role (trust relationship) |
use_existing_cloudwatch_log_group | bool | false | Whether to use an existing CloudWatch log group or create new |
vpc_security_group_ids | list(string) | null | List of security group ids when Lambda Function should run in the VPC. |
vpc_subnet_ids | list(string) | null | List of subnet ids when Lambda Function should run in the VPC. Usually private or intra subnets. |