Deploying AWS Lambda with Terraform
Serverless is a hot topic in Cloud, so as Infrastructure as Code(IaC). Infrastructure as code (IaC) tools allow you to manage infrastructure with configuration files rather than through a graphical user interface. IaC allows you to build, change, and manage your infrastructure in a safe, consistent, and repeatable way by defining resource configurations that you can version, reuse, and share.
It’s quite easy to get used to Terraform if you are familiar with CloudFormation as they all being tools to implement infrastructure as code on Cloud Provider, such as AWS. It’s a cornerstone of DevOps, designed to boost the agility, productivity and quality of work within organizations.
This article will cover: the basic components of deploying lambda, and related step to set up a lambda through Terraform.
A series article will be published to cover several topic including:
- Difference between Terraform and CloudFormation
- Workflow of Setting up Schedule Lambda to Sync Data Between two s3 Bucket.
- Automate Terraform with GitHub Actions
- Use PGP to Encrypt Your Terraform Secrets
Deploy a Lambda Function with Terraform
Let’s deploy a simple lambda function to AWS using Terraform. Talk is cheap, let’s show you the code.
Prerequisite
- Install Terraform CLI
- Install it through Terraform’s website.
- Check the version of it to ensure it works using
terraform --version
- Creating AWS IAM User from console
- Ensure IAM user has programmatic access.
- Giving it Administrator access permission to ensure followed resources creation.
Main Steps
Source Code Needed
For this project, let’s create a directory named src
to store is source code. Create file hello.py
,which contain followed code:
1 | def lambda_handler(event, context): |
Define Variables
The next step is to define all the variables in var.tf
, all of them can be hard code in other resources definition, but hard to manage them and not to mention reuse them. For that end, variable is suitable to be extracted and define in separate way.
1 | variable "function_name" { |
Data Definition
For the lambda function, it needs proper permission to perform manipulation of other sources and it may have multiple permission statement and sometimes hard to read if policies are directly put in main file. Below is a data sample to give lambda function permission to list all objects in a s3 bucket.
And also, AWS allow zip file to be uploaded for lambda function, that’s why data type archive_file
is needed and it point to the builds directory for zip file, and need to know which folder is the source code folder.
1 | data "aws_iam_policy_document" "lambda_permissions" { |
Lambda Definition
Finally, we get to define the related resources in lambda.tf
, it contains three resources:
lambda_s3_policy
: A policy to consume predefined permission indata.tf
iam_role_for_lambda
: An IAM role for lambda to consume role and also attach above policy to the role.schedule_lambda
: Lambda function with many definitions:filename
point to the zip filefunction_name
need no explanationruntime
define the version and explainer of the function, such aspython3.7
handler
take two input (event
andcontext
) when function is invoked. For this projecthello
is the file name andlambda_handler
is the method name.- Predefined
role
is assigned to the function source_code_hash
is aim to detect code change and update when needed since hash will change when the source code change.environment
define the variables for function.
1 | resource "aws_iam_policy" "lambda_s3_policy" { |
Provider Information
provider.tf
should be noted that the region in which S3 bucket is created, same region should be entered above.
1 | provider "aws" { |
Run Command Line
Now we almost done all the code work. And run some command to deploy:
terraform init
to download all the required plugins.terraform plan
to check the integrity of the code.terraform apply
to deploy all the resources into AWS cloud. Also,terraform apply -auto-approve
could spare you from manually inputyes
during the procedure to do the confirmation.
Well done! And all we need to do is to check whether resources have been created through AWS Console.
Terraform Lambda Resources
There are a lot resources in Terraform to provision lambda function and related resources such as attached policies.
aws_lambda_function
A Lambda function needs code and an IAM role to run a function. Code is deployed on an S3 bucket as a deployment package (zip file).
1 | resource "aws_lambda_function" "sample_lambda" { |
A single resource of aws_lambda_function
is not enough, because no permission is granted by default, so it has to be configured with a execution role to allow the function to assume role to get permission it need.
1 | resource "aws_iam_role" "iam_role_for_lambda" { |
aws_lambda_alias
Resource aws_lambda_alias
provide clients with a function identifier that you can update to invoke a different version. It also useful when a lambda function still in test stage and invocation could be split and route to different version of function.
1 | resource "aws_lambda_alias" "test_lambda_alias" { |
aws_lambda_function_event_invoke_config
Manages an asynchronous invocation configuration for a Lambda Function or Alias. Such as destination configuration:
1 | resource "aws_lambda_function_event_invoke_config" "example" { |
aws_lambda_layer_version
This provides a Lambda Layer Version resource. Lambda Layers allow you share the reusable code through layers across multiple Lambda functions.
1 | resource "aws_lambda_layer_version" "lambda_nodejs_layer" { |
aws_lambda_permission
This resource provides other AWS services, such as S3 and DynamoDB, access to the Lambda function.
1 | resource "aws_lambda_permission" "allow_s3" { |
References
Deploying AWS Lambda with Terraform
http://vincentgaohj.github.io/Blog/2022/04/11/Deploying-AWS-Lambda-with-Terraform/