Lambda Function (Packaged & Wired)

aws-lambda

Lambda with execution role, log group, triggers, aliases, and zip/container packaging handled. Works with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0 (+ hashicorp/archive >= 2.4, < 3.0 for zip-from-source packaging). Point it at a source directory, a prebuilt zip, an S3 object, or an ECR image — the module wires everything else: IAM, logging, invoke permissions, and event-source mappings with the exact read permissions each source type needs.

Secure / sane defaults:

• Execution role is least-privilege: logs scoped to this function's log group only (no AWSLambdaBasicExecutionRole account-wide wildcard); VPC, X-Ray, DLQ, and event-source permissions are added only when the matching feature is configured, scoped to the configured ARNs
• arm64 (Graviton) architecture by default — cheaper per ms
• Log group managed explicitly with 30-day retention (KMS optional) and wired via logging_config, so retention applies before the first invoke
• Optional alias gives triggers and event sources a stable qualifier

Usage

module "worker" {
  source = "./aws-lambda"

  function_name = "orders-worker"
  runtime       = "python3.13"
  handler       = "app.handler"
  source_dir    = "${path.module}/src"   # zipped automatically

  publish    = true
  alias_name = "live"

  environment_variables = { LOG_LEVEL = "info" }

  event_source_mappings = {
    orders = {
      event_source_arn    = aws_sqs_queue.orders.arn
      batch_size          = 10
      maximum_concurrency = 20
    }
  }

  allowed_triggers = {
    apigw = {
      principal  = "apigateway.amazonaws.com"
      source_arn = "${aws_apigatewayv2_api.this.execution_arn}/*"
    }
  }

  tags = { Environment = "prod" }
}

Inputs (key)

Name	Type	Default	Description
function_name	string	—	Function name (required)
source_dir / filename / s3_bucket+s3_key / image_uri	string	null	Packaging — set exactly one source
runtime, handler	string	null	Required for zip packages; ignored for images
architecture	string	"arm64"	arm64 or x86_64
memory_size / timeout / ephemeral_storage_size	number	256 / 30 / 512	Sizing
publish + alias_name	bool + string	false / null	Publish versions and point an alias at them
environment_variables, kms_key_arn, layers	—	{} / null / []	Runtime config
vpc_config	object	null	{subnet_ids, security_group_ids}; ENI policy auto-attached
dead_letter_target_arn	string	null	SQS/SNS ARN; send/publish granted on exactly this ARN
tracing_mode	string	"PassThrough"	Active auto-attaches the X-Ray write policy
log_retention_days / log_format / log_kms_key_arn	—	30 / "Text" / null	Logging
execution_role_arn	string	null	Bring your own role (module then creates no IAM)
policy_json / policy_arns	—	null / []	The function's business permissions
allowed_triggers	map(object)	{}	aws_lambda_permission entries keyed by statement id
event_source_mappings	map(object)	{}	SQS / DynamoDB Streams / Kinesis mappings (starting_position required for streams, unset for SQS)
tags	map(string)	{}	Tags for all resources

Outputs

function_name, function_arn, qualified_arn, invoke_arn, version, alias_arn, role_arn, role_name, log_group_name, log_group_arn, event_source_mapping_uuids.

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/aws >= 6.0, < 7.0
• hashicorp/archive >= 2.4, < 3.0 (only exercised when source_dir is used)

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).