Lambda Function (Packaged & Wired)
Lambda with execution role, log group, triggers, aliases, and zip/container packaging handled.
Verification
Live-testedReally deployed, verified, idempotent and destroyed in a cloud sandbox.
Conformance
- Static validation (fmt · validate · tflint)
- Security scan: findings disclosed (Checkov)
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live-tested — applied, verified, destroyed
Last verified 2026-06-19 · how we verify
Documentation
aws-lambda
Lambda with execution role, log group, triggers, aliases, and zip/container
packaging handled. Works with Terraform and OpenTofu (>= 1.6), AWS
provider >= 6.0, < 7.0 (+ hashicorp/archive >= 2.4, < 3.0 for
zip-from-source packaging). Point it at a source directory, a prebuilt zip, an
S3 object, or an ECR image — the module wires everything else: IAM, logging,
invoke permissions, and event-source mappings with the exact read permissions
each source type needs.
Secure / sane defaults:
- Execution role is least-privilege: logs scoped to this function's log
group only (no
AWSLambdaBasicExecutionRoleaccount-wide wildcard); VPC, X-Ray, DLQ, and event-source permissions are added only when the matching feature is configured, scoped to the configured ARNs arm64(Graviton) architecture by default — cheaper per ms- Log group managed explicitly with 30-day retention (KMS optional) and wired
via
logging_config, so retention applies before the first invoke - Optional alias gives triggers and event sources a stable qualifier
Usage
module "worker" {
source = "./aws-lambda"
function_name = "orders-worker"
runtime = "python3.13"
handler = "app.handler"
source_dir = "${path.module}/src" # zipped automatically
publish = true
alias_name = "live"
environment_variables = { LOG_LEVEL = "info" }
event_source_mappings = {
orders = {
event_source_arn = aws_sqs_queue.orders.arn
batch_size = 10
maximum_concurrency = 20
}
}
allowed_triggers = {
apigw = {
principal = "apigateway.amazonaws.com"
source_arn = "${aws_apigatewayv2_api.this.execution_arn}/*"
}
}
tags = { Environment = "prod" }
}
Inputs (key)
| Name | Type | Default | Description |
|---|---|---|---|
function_name | string | — | Function name (required) |
source_dir / filename / s3_bucket+s3_key / image_uri | string | null | Packaging — set exactly one source |
runtime, handler | string | null | Required for zip packages; ignored for images |
architecture | string | "arm64" | arm64 or x86_64 |
memory_size / timeout / ephemeral_storage_size | number | 256 / 30 / 512 | Sizing |
publish + alias_name | bool + string | false / null | Publish versions and point an alias at them |
environment_variables, kms_key_arn, layers | — | {} / null / [] | Runtime config |
vpc_config | object | null | {subnet_ids, security_group_ids}; ENI policy auto-attached |
dead_letter_target_arn | string | null | SQS/SNS ARN; send/publish granted on exactly this ARN |
tracing_mode | string | "PassThrough" | Active auto-attaches the X-Ray write policy |
log_retention_days / log_format / log_kms_key_arn | — | 30 / "Text" / null | Logging |
execution_role_arn | string | null | Bring your own role (module then creates no IAM) |
policy_json / policy_arns | — | null / [] | The function's business permissions |
allowed_triggers | map(object) | {} | aws_lambda_permission entries keyed by statement id |
event_source_mappings | map(object) | {} | SQS / DynamoDB Streams / Kinesis mappings (starting_position required for streams, unset for SQS) |
tags | map(string) | {} | Tags for all resources |
Outputs
function_name, function_arn, qualified_arn, invoke_arn, version,
alias_arn, role_arn, role_name, log_group_name, log_group_arn,
event_source_mapping_uuids.
Requirements
- Terraform or OpenTofu
>= 1.6 hashicorp/aws>= 6.0, < 7.0hashicorp/archive>= 2.4, < 3.0(only exercised whensource_diris used)
Verification
Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.
License
Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).