spring-media / terraform-aws-lambda Goto Github PK

AWS console displays a new warning sign about missing CloudWatch logs permissions:

This is not true since the permissions from AWSLambdaBasicExecutionRole are applied by this module. Nevertheless we should add this role to the permissions to get rid of the banner.

Further development of this module will be continued in moritzzimmer/terraform-aws-lambda.

Users of spring-media/lambda/aws should migrate to this module as a drop-in replacement for all provisions up to release/tag 5.2.1 to benefit from new features and bugfixes.

module "lambda" {
  source           = "moritzzimmer/lambda/aws"
  version          = "5.2.1"
  filename         = "my-package.zip"
  function_name    = "my-function"
  handler          = "my-handler"
  runtime          = "go1.x"
  source_code_hash = filebase64sha256("${path.module}/my-package.zip")
}

Lambda functions can be triggered from CloudWatch either by event_pattern or schedule_expression , see https://www.terraform.io/docs/providers/aws/r/cloudwatch_event_rule.html.

Currently only the latter is supported in this module. Idea: deprecate the current cloudwatch-scheduled-event sub-module in favor of a cloudwatch sub-module supporting both.

Currently this module configures the following policy for ssm_parameter_names:

data "aws_iam_policy_document" "ssm_policy_document" {
  count = length(var.ssm_parameter_names)

  statement {
    actions = [
      "ssm:GetParameters",
      "ssm:GetParametersByPath",
    ]

    resources = [
      "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${element(var.ssm_parameter_names, count.index)}",
    ]
  }
}

This datasource should also permit ssm:GetParameter.

The publish variable defaults to true in the main module, https://github.com/spring-media/terraform-aws-lambda/blob/master/variables.tf#L60. However in the submodule, it defaults false, https://github.com/spring-media/terraform-aws-lambda/blob/master/modules/lambda/variables.tf#L43.

The docs indicate the default is false, https://www.terraform.io/docs/providers/aws/r/lambda_function.html#publish. Was there an intentional reason to set to true?

Hello,

Thanks for this useful component.

I would like to request an example of https://github.com/spring-media/terraform-aws-lambda/tree/master/examples/example-with-sqs-event involving the creation of the required SQS queue instead of hard-coding the ARN on it.

There are different possibilities and recommendations how to manage and access secrets (e.g. database passwords) inside Lambda functions (see e.g here and here).

Currently this module supports reading (optionally encrypted) parameters from AWS Systems Manager Parameter Store at runtime by creating IAM policies allowing access to and decryption of parameters by setting ssm_parameter_names and kms_key_arn. This is the recommended way for Lambda functions if the Parameter Store API limits are no concern in case of horizontal scaling.

Unfortunately kms_key_arn conflicts with the parameter specified in the Terraform Lambda ressource to specify a key that is used to encrypt environment variables.

Proposal:

• create a new configuration option (e.g. ssm { parameters: [], kms_key_arn: ""}) to configure IAM policies for runtime SSM access (with custom key)
• switch (optional) variable kms_key_arn to it's default meaning an pass it down to lambda submodule
• (optionally) support configuration option for using AWS Secrets Manager

in case consumers need more permissions that CloudWatch Logs (e.g. Parameter Store, KMS, ...)

We should be giving the lambda executing role name a distinct name (e.g prefix it with tf) in order to avoid confusion:

role = "${module.lambda.function_name}"

Every time i run my terraform the lambda module thinks it needs recreation. This is the output I get when running a plan:

resource "aws_lambda_function" "lambda" {
...
...
      ~ last_modified                  = "2020-07-07T14:23:45.641+0000" -> (known after apply)
        layers                         = []
        memory_size                    = 128
...
...

Is there a way I can avoid this? last_modified is the only attribute that needs changing. It would be good if we could pass some variable so the resource can have a lifecycle (or it could be just added to the resource):

lifecycle {
    ignore_changes = [
      last_modified
    ]
  }

Many thanks.

Allow for a new role or additional permissions be added to the role