terraform module for lambda function (#1)

niyatir2608 · web-flow · commit 63fed05d8274 · 2023-12-06T16:54:16.000+05:30
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,3 @@
+terraform.tfstate*
+.terraform*
+tfplan
diff --git a/EXAMPLE.md b/EXAMPLE.md
@@ -0,0 +1,69 @@
+# Lambda
+Below are the examples of calling this module.
+
+## Create lambda resource with security group
+Lambda function will be created from the zip file named lambda.zip uploaded in s3 bucket where key is path for zip file in the bucket. Function url is used for security and access control which can be set to false also. Environment variables can also be passed from parameter store if required. Secuirty group and subnet ids are passed as list if required.
+```
+module "lambda_test" {
+  source                  = "./lambda"
+  function_name           = "${var.prefix}-test-lambda"
+  handler                 = "lambda.handler"
+  lambda_runtime          = "python3.x"
+  s3_bucket               = "${var.prefix}-test-lambda"
+  s3_key                  = "lambda.zip"
+  description             = "Lambda resource with security group"
+  security_group_ids      = ["sg-1234567"]
+  subnets                 = ["subnet-1", "subnet-2"] 
+  function_url            = true
+  function_url_cors = {
+    allow_credentials = false
+    allow_headers     = ["header-1", "header-2"] 
+    allow_methods     = ["GET", "POST"]
+    allow_origins = [ 
+      "*"
+    ]
+  }
+  environment_variables = {
+    LOG_LEVEL = "info"
+    BASE_URL  = "https://example.com/v1/info"
+  }
+  env_vars_from_parameter_store = {
+    DB_HOST = "/${var.prefix}/DB_HOST"
+    DB_NAME = "/${var.prefix}/DB_NAME"
+    DB_PORT = "/${var.prefix}/DB_PORT"
+  }
+  logs_retention          = 14
+}
+```
+
+## Allow apigw to invoke lambda
+Api gateway will invoke the lambda function where function is created from zip file named lambda.zip uploaded in s3 bucket where key is path for zip file in the bucket. 
+```
+module "lambda_test" {
+  source                  = "./lambda"
+  function_name           = "${var.prefix}-test-lambda"
+  handler                 = "lambda.handler"
+  lambda_runtime          = "python3.x"
+  s3_bucket               = "${var.prefix}-test-lambda"
+  s3_key                  = "lambda.zip"
+  description             = "Allow apigw to invoke lambda"
+  apigw_execution_arn     = "arn:aws:apigateway:region::resource-path-specifier" 
+  logs_retention = 14
+}
+```
+
+## Create Lambda function from zip file when source file is passed
+Here a file named test.py is present in same directory and in output_path, we define the name for zip file which is created by test.py. Output_path will create zip file with name lambda.zip
+```
+module "lambda_test" {
+  source                  = ".lambda"
+  function_name           = "${var.prefix}-test-lambda"
+  handler                 = "lambda.handler"
+  lambda_runtime          = "python3.x"
+  source_file             = "test.py"
+  output_path             = "lambda.zip"
+  lambda_artifacts_bucket = "${var.prefix}-test-lambda"
+  description             = "Test lambda"
+  logs_retention          = 14
+}
+```
diff --git a/README.md b/README.md
@@ -0,0 +1,76 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_archive"></a> [archive](#provider\_archive) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_iam_role.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.lambda_basic_execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.lambda_vpc_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_lambda_function.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_function_url.function_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function_url) | resource |
+| [aws_lambda_permission.api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_lambda_permission.cognito](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_lambda_permission.eventbridge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_lambda_permission.sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [archive_file.lambda](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
+| [aws_iam_policy_document.lambda_service_trust_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_s3_object.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_object) | data source |
+| [aws_ssm_parameter.env_vars_from_parameter_store](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_apigw_execution_arn"></a> [apigw\_execution\_arn](#input\_apigw\_execution\_arn) | Apigw execution arn | `list` | `[]` | no |
+| <a name="input_cognito_pool_arn"></a> [cognito\_pool\_arn](#input\_cognito\_pool\_arn) | Cognito pool arn | `string` | `""` | no |
+| <a name="input_description"></a> [description](#input\_description) | Lambda function description | `any` | n/a | yes |
+| <a name="input_env_vars_from_parameter_store"></a> [env\_vars\_from\_parameter\_store](#input\_env\_vars\_from\_parameter\_store) | Lambda environment variables from SSM parameter store | `map(any)` | `{}` | no |
+| <a name="input_environment_variables"></a> [environment\_variables](#input\_environment\_variables) | Environment Variables for Lambda Functions | `map(any)` | `{}` | no |
+| <a name="input_eventbridge_rule_arn"></a> [eventbridge\_rule\_arn](#input\_eventbridge\_rule\_arn) | Eventbridge rule arn | `string` | `""` | no |
+| <a name="input_function_name"></a> [function\_name](#input\_function\_name) | Lambda function name | `any` | n/a | yes |
+| <a name="input_function_url"></a> [function\_url](#input\_function\_url) | Create lambda function url | `bool` | `false` | no |
+| <a name="input_function_url_cors"></a> [function\_url\_cors](#input\_function\_url\_cors) | Function url cors | `any` | `[]` | no |
+| <a name="input_handler"></a> [handler](#input\_handler) | Name of Handler | `any` | n/a | yes |
+| <a name="input_lambda_memory"></a> [lambda\_memory](#input\_lambda\_memory) | Required Memory for Lambda function | `number` | `128` | no |
+| <a name="input_lambda_runtime"></a> [lambda\_runtime](#input\_lambda\_runtime) | Lambda language | `any` | n/a | yes |
+| <a name="input_lambda_timeout"></a> [lambda\_timeout](#input\_lambda\_timeout) | Required Timeout for Lambda function | `number` | `5` | no |
+| <a name="input_layers_arn"></a> [layers\_arn](#input\_layers\_arn) | Lambda layer arn | `list(string)` | `null` | no |
+| <a name="input_logs_retention"></a> [logs\_retention](#input\_logs\_retention) | Specifies the number of days you want to retain log events in the specified log group | `number` | `null` | no |
+| <a name="input_output_path"></a> [output\_path](#input\_output\_path) | The name for the zip file created with the file described in source\_file | `string` | `""` | no |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | Prefix for resources | `string` | `""` | no |
+| <a name="input_publish"></a> [publish](#input\_publish) | Publish lambda function version | `bool` | `false` | no |
+| <a name="input_s3_bucket"></a> [s3\_bucket](#input\_s3\_bucket) | Lambda artifacts bucket | `string` | `""` | no |
+| <a name="input_s3_key"></a> [s3\_key](#input\_s3\_key) | Path of the zip file which is present in s3 bucket | `string` | `""` | no |
+| <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | Security geoup id | `list(any)` | `null` | no |
+| <a name="input_source_file"></a> [source\_file](#input\_source\_file) | Lambda source file | `string` | `""` | no |
+| <a name="input_sqs_queue_arn"></a> [sqs\_queue\_arn](#input\_sqs\_queue\_arn) | SQS queue arn | `string` | `""` | no |
+| <a name="input_subnets"></a> [subnets](#input\_subnets) | Subnets | `list(any)` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_arn"></a> [arn](#output\_arn) | Lambda ARN |
+| <a name="output_function_name"></a> [function\_name](#output\_function\_name) | Name of the Lambda function. |
+| <a name="output_function_url"></a> [function\_url](#output\_function\_url) | Function url |
+| <a name="output_invoke_arn"></a> [invoke\_arn](#output\_invoke\_arn) | Lambda Invoke ARN |
+| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | Role arn |
+| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | Role name |
diff --git a/iam.tf b/iam.tf
@@ -0,0 +1,28 @@
+# --- lambda/iam.tf ---
+resource "aws_iam_role" "lambda" {
+  name               = "${var.function_name}-lambda"
+  assume_role_policy = data.aws_iam_policy_document.lambda_service_trust_policy.json
+}
+
+data "aws_iam_policy_document" "lambda_service_trust_policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_vpc_access" {
+  count      = var.subnets != null && var.security_group_ids != null ? 1 : 0
+  role       = aws_iam_role.lambda.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
+  role       = aws_iam_role.lambda.id
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
diff --git a/main.tf b/main.tf
@@ -0,0 +1,137 @@
+# ------------------------------------------------------------------------------
+# CREATE EITHER S3 OBJECT OR ARCHIVE FILE
+# ------------------------------------------------------------------------------
+
+# Here lambda function will be created from zip file uploaded in s3 bucket where key is path for zip file in the bucket.
+data "aws_s3_object" "lambda" {
+  count  = var.s3_bucket != "" && var.s3_key != "" ? 1 : 0
+  bucket = var.s3_bucket
+  key    = var.s3_key
+}
+
+# Here a zip file will be created when source_file is passed and lambda function will be created from that zip file
+data "archive_file" "lambda" {
+  count       = var.source_file != "" && var.output_path != "" ? 1 : 0
+  type        = "zip"
+  source_file = var.source_file
+  output_path = var.output_path
+}
+
+data "aws_ssm_parameter" "env_vars_from_parameter_store" {
+  for_each = var.env_vars_from_parameter_store
+  name     = each.value
+}
+
+locals {
+  env_vars_from_parameter_store = length(keys(var.env_vars_from_parameter_store)) == 0 ? {} : zipmap(
+    [for key, value in var.env_vars_from_parameter_store : key],
+    [for parameter in data.aws_ssm_parameter.env_vars_from_parameter_store : parameter.value]
+  )
+  environment_variables = length(keys(var.environment_variables)) == 0 && length(keys(local.env_vars_from_parameter_store)) == 0 ? [] : [merge(var.environment_variables, local.env_vars_from_parameter_store)]
+}
+
+# ------------------------------------------------------------------------------
+# CREATE LAMBDA FUNCTION
+# ------------------------------------------------------------------------------
+#tfsec:ignore:aws-lambda-enable-tracing
+resource "aws_lambda_function" "lambda" {
+  function_name     = var.function_name
+  description       = var.description
+  handler           = var.handler
+  memory_size       = var.lambda_memory
+  role              = aws_iam_role.lambda.arn
+  runtime           = var.lambda_runtime
+  timeout           = var.lambda_timeout
+  s3_bucket         = try(data.aws_s3_object.lambda[0].bucket, null)
+  s3_key            = try(data.aws_s3_object.lambda[0].key, null)
+  s3_object_version = try(data.aws_s3_object.lambda[0].version_id, null)
+  filename          = try(data.archive_file.lambda[0].output_path, null)
+  layers            = var.layers_arn
+  publish           = var.publish
+
+  dynamic "environment" {
+    for_each = length(local.environment_variables) == 0 ? [] : local.environment_variables
+    content {
+      variables = environment.value
+    }
+  }
+
+  dynamic "vpc_config" {
+    for_each = var.subnets != null && var.security_group_ids != null ? [true] : []
+    content {
+      security_group_ids = var.security_group_ids
+      subnet_ids         = var.subnets
+    }
+  }
+}
+
+# ------------------------------------------------------------------------------
+# ASSIGN PERMISSION TO API GATEWAY, COGNITO, SQS AND EVENTBRIDGE
+# ------------------------------------------------------------------------------
+
+resource "aws_lambda_permission" "api" {
+  count         = length(var.apigw_execution_arn) > 0 ? 1 : 0
+  statement_id  = "AllowAPIGWLambdaInvoke"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.lambda.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${var.apigw_execution_arn}/*/*/*"
+}
+
+resource "aws_lambda_permission" "cognito" {
+  count         = length(var.cognito_pool_arn) > 0 ? 1 : 0
+  statement_id  = "AllowCognitoPoolLambdaInvoke"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.lambda.function_name
+  principal     = "cognito-idp.amazonaws.com"
+  source_arn    = var.cognito_pool_arn
+}
+
+resource "aws_lambda_permission" "sqs" {
+  count         = length(var.sqs_queue_arn) > 0 ? 1 : 0
+  statement_id  = "AllowExecutionFromSQS"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.lambda.function_name
+  principal     = "sqs.amazonaws.com"
+  source_arn    = var.sqs_queue_arn
+}
+
+resource "aws_lambda_permission" "eventbridge" {
+  count         = length(var.eventbridge_rule_arn) > 0 ? 1 : 0
+  statement_id  = "AllowExecutionFromEventBridge"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.lambda.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = var.eventbridge_rule_arn
+}
+
+# ------------------------------------------------------------------------------
+# LAMBDA LOG RETENTION
+# ------------------------------------------------------------------------------
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key
+resource "aws_cloudwatch_log_group" "lambda" {
+  name              = "/aws/lambda/${aws_lambda_function.lambda.function_name}"
+  retention_in_days = var.logs_retention
+}
+
+# ------------------------------------------------------------------------------
+# CREATE LAMBDA FUNCTION URL
+# ------------------------------------------------------------------------------
+resource "aws_lambda_function_url" "function_url" {
+  count              = var.function_url ? 1 : 0
+  function_name      = aws_lambda_function.lambda.function_name
+  authorization_type = "NONE"
+
+  dynamic "cors" {
+    for_each = length(keys(var.function_url_cors)) == 0 ? [] : [var.function_url_cors]
+
+    content {
+      allow_credentials = try(cors.value.allow_credentials, null)
+      allow_headers     = try(cors.value.allow_headers, null)
+      allow_methods     = try(cors.value.allow_methods, null)
+      allow_origins     = try(cors.value.allow_origins, null)
+      expose_headers    = try(cors.value.expose_headers, null)
+      max_age           = try(cors.value.max_age, null)
+    }
+  }
+}
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,30 @@
+# --- lambda/outputs.tf ---
+output "function_name" {
+  description = "Name of the Lambda function."
+  value       = aws_lambda_function.lambda.function_name
+}
+
+output "invoke_arn" {
+  description = "Lambda Invoke ARN"
+  value       = aws_lambda_function.lambda.invoke_arn
+}
+
+output "arn" {
+  description = "Lambda ARN"
+  value       = aws_lambda_function.lambda.arn
+}
+
+output "function_url" {
+  description = "Function url"
+  value       = var.function_url ? aws_lambda_function_url.function_url[0].function_url : null
+}
+
+output "role_name" {
+  description = "Role name"
+  value       = aws_iam_role.lambda.arn
+}
+
+output "role_arn" {
+  description = "Role arn"
+  value       = aws_iam_role.lambda.name
+}
diff --git a/provider.tf b/provider.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+  }
+}
diff --git a/variables.tf b/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+terraform.tfstate*`
	`2`	`+.terraform*`
	`3`	`+tfplan`