Module: lambda_function
Defines Lambda functions used in automation (e.g., controlled EC2 stop logic) and their invoke permissions. Each lambda key auto‑packages a Python source file found at src/functions/<lambda_key>.py into src/functions/<lambda_key>.zip during terraform plan/apply.
Input Map Key Pattern
Root variable: lambdas (map of objects).
| Field | Type | Required | Description |
|---|---|---|---|
| function_name | string | optional | Override generated name (prefix + key + suffix). |
| role | string | required | IAM role key (must exist in iamroles output map). |
| handler | string | required | Entrypoint (e.g., ec2_stop_function.lambda_handler). |
| runtime | string | required | Runtime (e.g., python3.12). |
| timeout | number | optional | Seconds (default 300). |
| memory_size | number | optional | MB (default 128). |
| description | string | optional | Function description. |
| publish | bool | optional | Publish version (default false). |
Related: lambda_permissions Map
Root variable: lambda_permissions defines invoke permissions separate from function definition.
| Field | Type | Required | Description |
|---|---|---|---|
| statement_id | string | required | Unique statement identifier |
| action | string | required | Typically lambda:InvokeFunction |
| function_name | string | required | Key of the lambda in lambdas map |
| principal | string | required | Service or account allowed to invoke (e.g. events.amazonaws.com, ssm.amazonaws.com) |
| source_arn | string | conditional | Restricts invoke source (e.g., EventBridge rule name resolved to ARN) |
Behavior
- Per‑lambda auto packaging: For every lambda key
X, Terraform looks forsrc/functions/X.py. - If present, it creates
src/functions/X.zipusing a dedicatedarchive_file(one per key). source_code_hashis the archive's base64 SHA256, causing updates only when the Python file changes.- No manual filename selection; zip artifacts are treated as build outputs and ignored by Git (
src/functions/*.zip). - Permissions managed via separate
lambda_permissionsmap. - Function name defaults to prefix + key + suffix unless
function_nameattribute is provided.
Example
src/functions/ec2_stop_function.py (your Python handler file) will be auto‑packaged.
lambdas = {
ec2_stop_function = {
role = "Lambda_AutoShutdownRole"
handler = "ec2_stop_function.lambda_handler"
runtime = "python3.12"
timeout = 300
}
}
lambda_permissions = {
eventbridge_permission = {
statement_id = "AllowEventBridgeInvoke"
action = "lambda:InvokeFunction"
function_name = "ec2_stop_function"
principal = "events.amazonaws.com"
source_arn = "ec2-shutdown-everynight"
}
ssm_permission = {
statement_id = "allow_ssm_invoke"
action = "lambda:InvokeFunction"
function_name = "ec2_stop_function"
principal = "ssm.amazonaws.com"
}
}